How the Attack Works
Researchers at Varonis Threat Labs have identified a novel evasion technique called GhostTree that exploits NTFS junctions to create recursive directory loops. NTFS junctions act as advanced shortcuts that redirect applications from one directory to another, and creating them requires only standard write permissions rather than administrative privileges. Attackers can execute the mklink /J command in the Windows terminal to link a new path to a target directory.
The foundational GhostBranch attack involves an adversary creating a junction that points a child directory back to its parent, building a logical loop where the child folder endlessly replicates the parent’s contents. GhostTree amplifies this by linking multiple child directories to the same parent folder, generating an astronomical number of file paths. With single-letter folder names, this can create a directory structure resembling a complex binary tree that branches recursively until hitting operating system limits.
Impact on Security Products
When Endpoint Detection and Response (EDR) scanners attempt to recursively scan these manipulated directories, they continuously traverse the infinitely generating paths. The scanning engine becomes entirely consumed by the directory loop and ultimately hangs without completing its task. Any actual malware placed alongside the junction remains unscanned and completely undetected by the endpoint agent.
Classic Windows architectures enforce a strict maximum path length of 260 characters, which caps how deep recursive directory loops can extend. However, even within these constraints, the GhostTree technique creates approximately 2^126 distinct file paths, presenting an overwhelming number of routes to a single executable. Varonis researchers successfully validated this evasion technique, highlighting its simplicity and severe impact on file system analysis.
Source: Cyber Security News
