New 'GhostTree' Technique Uses Infinite Windows Folder Loops to Blind EDR Scanners

Windows file path architecture contains fundamental complexities that enterprise security teams frequently overlook. While standard users typically interact with basic, linear folder structures, the underlying NTFS file system supports highly advanced features like directory junctions and symbolic links. Historically, these capabilities serve legitimate administrative purposes, such as maintaining backward compatibility for legacy applications that expect files in hardcoded locations, redirecting directories seamlessly, or reorganizing files without physically moving them on storage media. An NTFS junction behaves as a specific type of reparse point that transparently routes a subsystem request from one directory to another target directory. Creating a junction requires only standard write permissions and a single command-line instruction executed via CMD: mklink /J C:\LinkToFolder C:\TargetFolder

This command instantiates a logical junction named “LinkToFolder” that transparently points directly to “TargetFolder”. Any application or system process accessing files through this junction views the target directory’s contents exactly as if they were natively local. However, classic Windows deployments impose a legacy architectural constraint: a maximum path length of 260 characters. Although registry configurations can technically extend this threshold up to 32,767 characters, a substantial portion of enterprise applications and administrative utilities remain entirely unequipped to handle paths exceeding the 260-character baseline. This spatial restriction remains a strict practical limitation for software, and it directly dictates how deep a recursive file system loop can extend and how many unique paths can be generated during an exploit.

Exploiting Re-parse Loops: From GhostBranch to GhostTree

Most enterprise security operations centers (SOCs) relegate NTFS junctions to niche, benign storage management features that rarely demand active monitoring. However, these reparse points possess a unique offensive property that makes them highly attractive from an exploitation perspective: any authenticated user can create them without administrative privileges or special permissions beyond basic write access to the target folder. By deliberately directing a junction back to its own parent directory, an unprivileged attacker can engineer a recursive logical loop that yields effectively infinite file paths. This exploitation methodology begins with a basic technique called GhostBranch. Given a target folder structure containing a payload, such as C:\Parent\program.exe, an adversary runs a straightforward linking command: mklink /J C:\Parent\Child C:\Parent

This instruction creates a logical loop by pointing the newly minted child directory directly back to its own parent folder. Consequently, the child folder transparently contains everything the parent does—including an identical copy of itself—generating an unlimited number of valid paths to the same underlying file. Paths like C:\Parent\Child\Program.exe, C:\Parent\Child\Child\Program.exe, and deeply nested variations remain completely valid and functional within the operating system, with every single unique path resolving directly to the exact same executable.

The advanced GhostTree technique builds directly upon this concept by establishing multiple concurrent child junctions within the parent folder rather than relying on a single path. An attacker can run two consecutive commands to instantiate parallel reparse loops:

mklink /J C:\Parent\Child1 C:\Parent
mklink /J C:\Parent\Child2 C:\Parent

Now, every sequential nested level in the directory path can branch through either Child1 or Child2, with both routing recursively back to the root parent. This architectural manipulation allows a massive variety of interleaved combinations—such as C:\Parent\Child1\Child2\Program.exe—exponentially expanding path diversity across the system.

The Combinatorial Mathematics of GhostTree

The critical distinction between GhostBranch and GhostTree lies entirely in path diversity, driven by the addition of multiple child junctions within the 260-character traditional path limit. To maximize the total number of distinct directory structures under this ceiling, an attacker can optimize folder name lengths by creating single-letter directories (such as “P”) directly under the root drive and utilizing a minimal executable name like 1.exe. In a basic GhostBranch configuration, example paths like C:\P\1.exe and C:\P\P\1.exe form a strictly linear progression, yielding a maximum of approximately 126 unique directory structures before breaching the 260-character boundary.

Conversely, the GhostTree configuration introduces two alternating parent folder variables, designated as “P” and “B”. While the physical depth remains capped at roughly 126 folders due to length constraints, each sequential level can choose to branch into either “P” or “B,” effectively creating a massive binary tree structure within the file system layout.

Because each node across this engineered layout represents a distinct, fully valid path resolving to the identical file payload, the total number of possible unique path combinations is calculated as:

2^{126} \approx 8.5 \times 10^{37}

This combinatorial explosion is mind-bogglingly vast. To put this number into perspective, it is significantly larger than the estimated total number of grains of sand on Earth, which sits at 8.5×10^8 and it overwhelmingly outweighs the total number of atoms comprising a standard human body, calculated at 10^27.

EDR Evasion and Scanner Paralysis

The operational threat this technique poses to enterprise cyber defense is acute. With just two lines of code, an unprivileged local user can generate an astronomical matrix of valid paths, making it entirely impossible to finish scanning parent directories recursively using basic administrative tools like the dir command. The exact same limitation applies to Endpoint Detection and Response (EDR) products that automatically scan folders for malicious files. An attacker can place malware directly inside the parent directory and construct a GhostTree structure, rendering the containing folder container effectively unscannable.

When defensive scanning engines attempt to traverse the directories recursively, they follow the loop continuously looking for a termination point and never finish. The automated scan hangs indefinitely, leaving the malicious payloads unexamined by security engines.

Empirical testing confirmed that this technique successfully evaded Windows Defender folder scans. When the issue was reported to Microsoft, the ticket was initially closed with the explanation that bypassing Defender does not constitute crossing a defined security boundary; however, the flaw was subsequently patched regardless. This technique serves as a stark reminder that endpoint scanning is merely one layer of defense. Security architectures must look deeper into data-layer activity to catch what scanners miss, including tracking anomalous junction creation and recursive directory structures that should not exist in normal operations. Varonis, for instance, monitors file access patterns to detect this precise type of anomalous activity across file systems and cloud infrastructure.

Strategic Analysis: Our Opinion on the GhostTree Case

The GhostTree case highlights a critical vulnerability in standard endpoint defense strategies, exposing a heavy reliance on folder scanning utilities that are easily blinded by native file system design. Microsoft’s initial response—closing the ticket under the premise that bypassing Defender does not cross an official security boundary—demonstrates a frustrating gap between theoretical security models and practical enterprise defense. Even though the issue was eventually patched, dismissing a technique that effectively forces EDR tools to hang indefinitely downplays the tactical advantage it grants to malicious actors during post-exploitation phases.

By utilizing basic, unprivileged user access to execute standard directory commands, an attacker can create an environment where malicious files remain completely unexamined. This case proves that relying solely on endpoint scanning engines leaves a dangerous gap in an organization’s defense posture. To counter these logic-based evasion techniques, security teams must move beyond simple folder-traversal tools and implement data-layer monitoring capable of tracking anomalous file system activity, such as irregular junction creations and recursive structures