GhostTree attack uses NTFS junctions to hide malware
🛡️ Attackers abuse NTFS junctions to create recursive directory loops that generate effectively infinite file paths, causing recursive scans and EDR products to hang. With only write access, an attacker can create junctions that point back to parent folders, producing GhostBranch or the more expansive GhostTree structures. These loops multiply possible paths exponentially, preventing file scanners from reaching malicious files and enabling evasion. Microsoft was notified and later patched the issue.
