A newly disclosed technique requires no administrator privileges, no custom exploit code, and no malware modification — just a standard Windows command and knowledge of how filesystem scanners traverse directories. The result is a location on disk where malware can sit undetected while the security tool assigned to find it loops indefinitely.
How GhostTree Uses NTFS Junctions to Create a Scanner-Resistant Malware Storage Location
Varonis Threat Labs disclosed GhostTree, an attack technique that exploits Windows NTFS junction points to construct recursive directory loops. By pointing a junction back at its own parent directory, an attacker creates a filesystem structure that appears to contain an astronomical number of paths leading to the same files. When an endpoint detection and response scanner attempts to traverse that structure, it enters an infinite loop and hangs — never completing its scan, never flagging the malware stored within.
The technique is built using the standard Windows command mklink /J, which creates junction links without requiring elevated access. Directories can be nested approximately 126 levels deep using single-letter folder names, producing the recursive structure needed to trigger the scanner hang. Because only standard write permissions are required, GhostTree is accessible to any attacker who has established a low-privilege foothold on a target system.
Varonis Validation Against Windows Defender
Varonis researchers tested GhostTree specifically against Windows Defender and confirmed that the recursive junction loop causes the scanner to hang without detecting malware files placed inside the structure. The technique does not alter the malware itself — there are no signature modifications, no packing changes, no attempts to fool the scanner’s detection logic. Instead, the scanner is rendered structurally unable to complete its traversal, creating what amounts to a scanner-resistant storage location built entirely from native Windows filesystem capabilities.
That distinction sets GhostTree apart from most evasion research. Conventional signature bypass techniques require ongoing maintenance as detection vendors update their rules. GhostTree bypasses the detection engine before it can apply any rules at all.
Microsoft’s Response and the Subsequent Patch
Microsoft initially dismissed Varonis’s bug report as out of scope. After Varonis provided additional demonstration of the technique’s real-world security impact, Microsoft deployed a patch. The exact patch release date was not specified in Varonis’s disclosure. The sequence — initial rejection followed by a patch after researchers escalated — follows a pattern seen with other filesystem-level vulnerability reports, where the boundary between intended behavior and exploitable weakness is not always immediately apparent to the receiving team.
Why GhostTree’s Low-Privilege Requirement Puts EDR at Risk Earlier in an Intrusion
The low privilege requirement is the most consequential aspect of GhostTree from an attacker’s perspective. Many evasion techniques require the attacker to have already achieved administrator or SYSTEM access — a threshold that, once crossed, opens other avenues for disabling security tools entirely. GhostTree works with the level of access an attacker might have immediately after phishing a standard user account or exploiting a web application running under a low-privilege service account.
That means GhostTree is relevant at an earlier stage of an intrusion than most EDR evasion techniques. An attacker who has just established an initial foothold can use the technique to create a persistent, scanner-resistant staging area before attempting privilege escalation — changing the sequence in which defenders need to think about detection coverage. The Varonis disclosure provides filesystem-level indicators that administrators can use to identify junction-based anomalies, but detection at the EDR layer depends on whether the applied patch fully resolves the traversal behavior across all scanner configurations.
