GhostTree: How Windows Path Manipulation Can Render EDR Scanning Ineffective

1. NTFS Reparse Point Basics

Before diving into GhostTree, it is essential to understand the two types of NTFS reparse points: symbolic links, which can point to files or directories across volumes, and junctions, which can only point to directories on the same volume. Normally creating either requires administrator rights, but user‑created junctions only need write permission on the target folder.

2. GhostBranch: The Basic Single‑Point Loop

2.1 Principle

GhostBranch is the foundational technique behind GhostTree. Its core idea is to create a junction that points back to its own parent folder, forming a logical loop.

# Create a child folder
mkdir C:\test\child

# Make the child point to its parent folder C:\test
mklink /J C:\test\child C:\test

After execution, C:\test\child is both a subfolder of C:\test and a junction that redirects back to C:\test, creating a recursive path.

2.2 Path‑Explosion Effect

Repeating the structure yields an unlimited number of valid paths, all resolving to the same location, yet Windows treats each as distinct.

C:\test\child\child\child\...
C:\test\child\child\child\child\...

All these paths point to the same directory, but the OS considers them separate valid paths.

3. GhostTree: A Binary‑Tree Path Maze

GhostTree extends GhostBranch by adding multiple child folders, causing exponential path growth.

3.1 Creation Method

# Create two child folders
mkdir C:\parent\P
mkdir C:\parent\B

# Point both to the parent folder
mklink /J C:\parent\P C:\parent
mklink /J C:\parent\B C:\parent

3.2 Path Diversity

Each subsequent level can choose either the "P" or "B" branch, producing paths such as:

C:\parent\P\P\P\P...
C:\parent\B\B\B\B...
C:\parent\P\B\P\B...

The number of possible paths grows exponentially. The calculations are:

Maximum depth per layer is about 126 folders (limited by Windows path length).

Each layer offers two choices (P or B).

Total possible paths ≈ 2^126 ≈ 8.5×10^18, a number exceeding the total grains of sand on Earth.

4. Why This Bypasses EDR

4.1 EDR Scanning Mechanism

Modern EDR solutions commonly rely on recursive folder scans to locate known malicious file signatures.

4.2 Encountering GhostTree

An attacker can place malicious payloads in a folder, then construct a GhostTree structure. When the EDR attempts to scan the folder, it follows each branch, encountering two new subfolders at every level that loop back to the parent. The scan quickly reaches the Windows path‑length limit (≈260 characters) after traversing an astronomically large number of “fake” paths, causing the scanner to stall indefinitely.

Result: the scan never completes and the malicious file remains undetected.

5. Empirical Results

Security researchers tested GhostTree against Windows Defender’s folder‑scan feature.

# Create a GhostTree structure
mkdir C:\malicious\P
mkdir C:\malicious\B
mklink /J C:\malicious\P C:\malicious
mklink /J C:\malicious\B C:\malicious

# Place malicious payload
copy malware.exe C:\malicious\

When Defender performed a folder scan, the process entered a prolonged scanning state and eventually timed out, leaving the malware undetected.

6. Microsoft’s Response

"Bypassing a Gartner‑rated endpoint defense is not crossing a security boundary."

Microsoft classifies the technique as “detection avoidance” rather than a vulnerability, and therefore does not plan to patch it. Researchers note, however, that the method can be weaponized in real attacks.

7. Detection and Mitigation Recommendations

7.1 Monitor Junction Creation

Security teams should add SIEM rules to flag abnormal volumes of junction creation events.

# PowerShell script to monitor Junction creation events
Get-WinEvent -FilterHashtable @{LogName="Security";ID=4657} |
  Where-Object { $_.Message -match "mklink" } |
  Select-Object TimeCreated, ProcessName, TargetName

7.2 File‑Access Pattern Analysis

EDR should watch for the following anomalous behaviors:

Multiple accesses to the same file via different paths within a short time window.

Unexpected timeouts during recursive scans.

Correlation between junction creation events and subsequent file writes.

7.3 Mitigation Measures

Short‑term :

Deploy specific EDR rules that detect GhostTree patterns.

Monitor junction creation events.

Restrict ordinary users from creating junctions via Group Policy.

Long‑term :

Implement loop detection and path‑normalization checks in EDR scanners.

Microsoft should consider adding audit logging for junction creation.

8. Potential Attack Scenarios

GhostTree can be leveraged for:

Malware persistence : Hide malicious binaries in directories that EDR cannot scan.

Data exfiltration cover : Mix real exfiltration channels among billions of fake paths.

Backdoor concealment : Prevent AV/EDR from locating backdoor files.

9. Conclusion

GhostTree is a clever exploitation of built‑in Windows filesystem features that does not rely on traditional vulnerabilities. Because it uses functionality that Microsoft deems “working as intended,” defending against it requires moving beyond simple signature scans toward behavioral analysis and anomaly detection.

Understanding such path‑manipulation techniques is essential for security teams aiming to stay ahead of attackers.