GhostTree Exploit Uses Windows Junctions to Evade Microsoft Defender

Security researchers at Varonis have detailed a new attack technique, dubbed GhostTree, that exploits recursive NTFS junctions in Windows to evade detection. The method creates a vast number of valid file paths, which can overwhelm endpoint protection systems.

The severity lies in the technique's ability to prevent Microsoft Defender folder scans from ever completing, according to Varonis. By generating an unlimited number of junction-based paths, the scanner enters an infinite loop, leaving malware undetected on the system. No CVSS score or CVE has been publicly assigned at this time.

GhostTree operates by abusing Windows' native NTFS junction feature, which allows directories to be redirected to other locations. The attack links these junctions recursively, creating an exponential web of valid paths. Indicators of compromise include unusually deep or cyclical junction structures in the file system.

No official patch from Microsoft has been announced as of the report's publication. Varonis recommends that organizations audit their systems for suspicious junction chains, particularly those with excessive depth. Administrators may also consider limiting junction creation permissions as a workaround.

The broader context suggests this technique could be weaponized by advanced persistent threats seeking to bypass signature-based detection. Varonis did not attribute the discovery to any specific threat actor, noting the technique is currently a theoretical proof of concept, though its abuse in real-world attacks remains a concern.