GoKawiilMost security teams think of NTFS junctions and symbolic links as niche file system features. They let one directory point to another, like a shortcut that the OS treats as real. They exist for backward compatibility, storage management, things that rarely come up in a SOC. But they have a property that makes them interesting from an offensive perspective: any user can create them.
No admin privileges are required, and no special permissions beyond write access to the target folder.
We discovered that by pointing a junction back at its own parent directory, an attacker can create recursive loops that generate effectively infinite file paths. Tools that try to scan the directory recursively, including EDR products, could follow the loop and never finish.
The malicious files sitting in the same folder go unexamined, creating a technique we've dubbed GhostTree.
How NTFS junctions work
Windows file paths are a fundamental part of the operating system, but they come with complexities. While most users interact with simple folder structures, the NTFS file system introduces advanced capabilities like junctions and symbolic links.
These features serve legitimate purposes, such as redirecting directories, maintaining backward compatibility with legacy applications that expect files to be in specific locations, or reorganizing files without physically moving them.
A junction is a type of NTFS reparse point that redirects one directory to another. Creating one requires only write permissions and a single command in CMD:
mklink /J C:\LinkToFolder C:\TargetFolder
This creates a junction named "LinkToFolder" that transparently points to "TargetFolder." Any application accessing files through the junction sees the contents of the target directory as if they were local.
... continue reading