A new technique dubbed GhostTree allows attackers to create recursive loops using NTFS junctions, making it impossible for security tools to scan directories, according to Varonis. This method exploits a feature that requires no special privileges to create, potentially leaving malicious files hidden and unexamined, with further coverage provided by Bleeping Computer.GhostTree leverages NTFS junctions, a file system feature that allows one directory to point to another. Attackers can create a junction that points back to its parent directory, forming a recursive loop. This loop generates an almost infinite number of valid file paths, causing directory scanning tools, including endpoint detection and response (EDR) products like Windows Defender, to hang indefinitely. The technique, which requires only write access to a folder, allows malware placed in the parent directory to go undetected.While Microsoft initially closed a report on the issue, a patch was later released. This highlights the importance of monitoring file system activity beyond endpoint scanning, as anomalous junction creation can be a strong indicator of malicious intent.Source: Bleeping Computer
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds