# GhostTree & GhostBranch: Abusing Recursive NTFS Junctions to Defeat EDR Folder Scans

## Summary

With two commands and no admin rights, an ordinary user can generate a near-infinite number of valid Windows file paths — enough to make recursive scanners, EDR included, run forever without finishing. Varonis Threat Labs named the technique **GhostTree**, along with a simpler variant, **GhostBranch**.

The trick is abusing an **NTFS junction** pointed back at its own parent directory, creating a recursive loop. Malware dropped into that folder stays unexamined, because the scanning process gets stuck in the loop and never reaches the file. Varonis verified the technique evades Windows Defender folder scans. The issue was reported to Microsoft and subsequently patched, even though Microsoft initially closed the ticket on the grounds that "bypassing Defender is not crossing a security boundary."

What stands out: this exploits no bug. It abuses a legitimate NTFS feature that anyone with write access to a folder can use — no privileges required.

## How NTFS junctions work

Junctions (and symbolic links) are advanced NTFS features that redirect one directory to another, serving legitimate purposes such as backward compatibility with legacy applications or reorganizing files without physically moving them. Technically, a junction is a type of **reparse point**: the OS treats a path traversing the junction as a real directory.

Creating one requires only write permission and a single CMD command:

```cmd
mklink /J C:\LinkToFolder C:\TargetFolder
```

Any application accessing files through `LinkToFolder` sees the contents of `TargetFolder` as if they were local.

One constraint matters: classic Windows caps path length at **260 characters** (`MAX_PATH`). It can be raised to 32,767 characters via a registry key, but many applications and utilities can't handle paths beyond 260. That limit determines how deep the recursive loop can go and how many unique paths it can produce.

## GhostBranch — the simple variant

Starting structure:

```text
C:\Parent\program.exe
```

Run the command that points a child folder back at its own parent:

```cmd
mklink /J C:\Parent\Child C:\Parent
```

Now `Child` contains everything `Parent` does, including itself. The result is an unlimited number of valid paths resolving to the same file:

```text
C:\Parent\Child\program.exe
C:\Parent\Child\Child\program.exe
C:\Parent\Child\Child\Child\Child\program.exe
```

![GhostBranch loop diagram](https://www.varonis.com/hubfs/Blog_VTL-GhostTree_202605_Diagram1_V2.png align="center")

To maximize directory count within the 260-character limit, you can use single-letter folders (e.g., `P`) directly under `C:` and an executable named `1.exe`:

```text
C:\P\1.exe
C:\P\P\1.exe
C:\P\P\P\...\1.exe
```

This configuration yields roughly **126 unique directory structures**.

## GhostTree — exponential escalation

GhostTree extends the idea by creating **multiple** child folders instead of one. For example, two junctions `P` and `B`, both looping back to the parent:

```cmd
mklink /J C:\Parent\Child1 C:\Parent
mklink /J C:\Parent\Child2 C:\Parent
```

Now every level in the path can branch through either child, forming a **binary tree**:

```text
C:\B\1.exe
C:\P\B\1.exe
C:\P\B\P\B\...\1.exe
```

![GhostTree binary tree diagram](https://www.varonis.com/hubfs/Blog_VTL-Not2C_202604_Diagram2_V2.png align="center")

Maximum depth stays around 126 levels, but since each level can be `P` or `B`, the total number of distinct paths explodes:

```text
2^126 ≈ 8.5 × 10^37
```

For perspective, that's far larger than the number of grains of sand on Earth (8.5 × 10¹⁸) or the atoms in your body (10²⁷).

## Why EDR gets bypassed

The attack mechanism is dangerously compact: an attacker drops malware in the parent directory, sets up the GhostTree structure, and that folder becomes **effectively unscannable**. A recursive `dir` or an EDR's folder-scanning engine follows the loop and hangs indefinitely — the malicious file in the same folder never gets its turn. Varonis tested this successfully against Windows Defender.

It's a reminder that endpoint scanning is only **one layer** of defense. Any directory-walking process without loop detection or a depth limit can be turned into a blind spot.

## Assessment

What makes GhostTree noteworthy isn't its complexity — it's technically trivial — but that it turns a "harmless" OS feature into an evasion tool, and that Microsoft initially declined to treat it as a security issue. The "bypassing Defender isn't crossing a security boundary" reasoning holds up within a strict threat model, but for defenders running operations, a folder whose scan never completes is a weaponizable blind spot.

Notably, Microsoft patched it anyway. The underlying issue, however — recursive directory-walking tools handling reparse points unsafely — is a recurring failure pattern, not confined to one scanning engine. Reparse points have been abused before (privilege escalation, sandbox escape), and GhostTree is a fresh twist on the same class of problem: blindly trusting user-controlled directory structures.

## Recommendations

*   Apply the latest Windows/Defender patches — Microsoft has fixed this technique.
    
*   Monitor for anomalous junction/reparse-point creation at the data layer; on endpoints, Sysmon **FileCreate (Event ID 11)** can surface junction creation events.
    
*   Alert on unusual recursive directory structures that shouldn't exist in normal operations (e.g., child folders repeating the parent's name across many levels).
    
*   Don't rely on folder scanning alone — pair behavioral monitoring with file-access telemetry to catch what scanners miss.
    

## References

*   [GhostTree: Unveiling Path Manipulation Techniques to Bypass Windows Security — Varonis Threat Labs](https://www.varonis.com/blog/ghosttree-ntfs-trick)
    
*   [GhostTree Attack Abused Recursive Windows Junctions to Hide Malware — BleepingComputer](https://www.bleepingcomputer.com/news/security/ghosttree-attack-abused-recursive-windows-junctions-to-hide-malware/)
