The gist: GhostTree exploits improperly guarded NTFS junctions in the Windows file system to trap scanners in infinite loops and hide malicious files from detection.
Security researchers have documented the GhostTree technique, which uses NTFS junctions to create endless file path loops, causing antivirus scans and EDR solutions to hang. The method works without administrator privileges.
The GhostTree technique abuses NTFS junctions – directory links in the Windows file system – to construct recursive file path loops. A subdirectory is configured to point back to its own parent directory. Since any user can create such junctions without administrator privileges, this configuration can be set up with standard permissions.
Researchers distinguish two variants: GhostBranch has a single subdirectory pointing to the parent directory, creating a linear path sequence. GhostTree combines multiple such links (e.g., Child1 and Child2), each pointing back to the parent directory – forming a tree-like structure. By using different directory names at each level, the technique generates a computationally astronomical number of unique file paths, all leading to the same malicious file. Maximum depth is limited by Windows’ maximum path length limit.
For standard antivirus scanners and EDR (Endpoint Detection and Response) solutions, this poses a significant problem: these tools typically scan directories recursively and thus follow the infinite loops, causing the scan process to hang or preventing proper examination of hidden files. Tests with Windows Defender showed the method actually bypasses local directory scans.
Microsoft initially assessed the bypass as not crossing a security boundary, but subsequently implemented a patch to restrict recursive exploitation. Researchers recommend monitoring file system activities as an additional measure, particularly detecting anomalous junction creation patterns, to identify such attack patterns early.
Source: www.it-daily.net · Published 17 June 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.