You ever watch a security tool churn through your file system, taking an eternity to scan what should be a simple directory? We all have. And most of us just chalk it up to ‘bloat’ or ‘inefficiency.’ But what if that sluggishness isn’t a bug, but a feature? A feature, mind you, that a clever attacker could weaponize to make malicious files invisible to the very tools meant to find them.
That’s the core of GhostTree, a newly detailed path manipulation technique that exploits something as fundamental as Windows file paths. Forget fancy zero-days or obscure kernel exploits for a second. This is about playing with the plumbing, and it’s terrifyingly simple.
Who’s Really Making Money Here?
Look, I’ve been covering Silicon Valley for longer than I care to admit, and one thing remains constant: if there’s a way to sell a solution, someone will find a problem. In this case, the ‘problem’ is EDR (Endpoint Detection and Response) tools struggling to keep up. And the ‘solution’? Well, that’s where the cash usually flows – back to the vendors of those same EDR tools, who will undoubtedly rush to patch this specific, and likely many other, similar tricks.
But let’s not get ahead of ourselves. The tech itself, GhostTree, is the star of the show right now.
It’s All About the Links, Baby (NTFS Junctions)
Most security folks probably think of NTFS junctions and symbolic links as dusty old features, useful for niche IT tasks or legacy compatibility. Think of them like a fancy shortcut – a directory pointing to another directory, but the operating system treats it as the real deal. The kicker? You don’t need admin rights to create them. Just write access to a folder. That’s it. No special privileges required. Anyone can do it. And that’s where the fun begins.
The researchers behind this discovered that by creating a junction that points back to its own parent directory, you can create a recursive loop. Imagine a folder that contains itself, which contains itself, which contains itself… ad infinitum. Tools that try to traverse this directory structure, like those EDR scanners, get stuck in an endless loop, never reaching the actual malicious files lurking in the same parent folder.
We discovered that by pointing a junction back at its own parent directory, an attacker can create recursive loops that generate effectively infinite file paths. Tools that try to scan the directory recursively, including EDR products, could follow the loop and never finish.
This technique they’ve dubbed GhostTree. It’s not about breaking into systems; it’s about hiding in plain sight, using the OS’s own rules against it.
GhostBranch: The Simple Loop
GhostBranch is the more straightforward sibling. You create a junction in a folder, say C:\Parent, and point it to itself. So, mklink /J C:\Parent\Child C:\Parent does the trick. Now
