GhostTree Attack Abuses Recursive Windows Junctions to Evade Microsoft Defender Scans
Varonis researchers detail GhostTree, a technique that exploits recursive NTFS junctions to generate billions of valid file paths, causing Microsoft Defender folder scans to hang and allowing malware to remain undetected.
Varonis researchers have uncovered a novel file system evasion technique called GhostTree that abuses recursive NTFS junctions to generate an astronomically large number of valid Windows file paths, effectively causing Microsoft Defender folder scans to never complete and allowing malware to remain hidden from detection.
The technique exploits a design limitation in how Windows handles NTFS junctions and symbolic links. Any user with write access to a folder can create a junction that points back to its own parent directory, creating a recursive loop. When security tools attempt to recursively scan the directory, they follow the loop indefinitely, generating an effectively infinite number of paths and never finishing the scan. Malicious files sitting in the same parent directory go unexamined.
Varonis demonstrated two variants: GhostBranch, which uses a single recursive junction, and GhostTree, which creates multiple child folders that each loop back to the parent. With two child folders named "P" and "B," each level of the path can branch through either, creating a binary tree-like structure. The maximum path depth of 126 folders yields approximately 2^126 (8.5 × 10^37) unique paths — vastly more than the number of grains of sand on Earth or atoms in the human body.
The researchers confirmed that this technique successfully evades Microsoft Defender folder scans. They reported the issue to Microsoft, but the ticket was closed with the explanation that "bypassing Defender is…" (the article cuts off). The attack requires no administrative privileges and only a single command: mklink /J C:\Parent\Child C:\Parent.
GhostTree represents a significant blind spot for endpoint detection and response (EDR) products that rely on recursive file system enumeration. While the technique is currently theoretical, it could be weaponized by attackers to hide malware in folders that security tools cannot fully scan. Organizations should monitor for unusual junction creation and consider implementing scanning timeouts or depth limits in their security tools.
The discovery highlights the ongoing cat-and-mouse game between attackers and defenders, where even fundamental file system features can be repurposed for evasion. As EDR products become more sophisticated, attackers are increasingly turning to low-level OS mechanisms to bypass detection.