RSS

GhostTree: Unveiling Path Manipulation Techniques to Bypass Windows Security

speckx1 pts0 comments

GhostTree: Unveiling Path Manipulation Techniques to Bypass Windows Security

Introducing Varonis Atlas: Secure everything you build and run with AI

Learn more

Blog

Threat Research

GhostTree: Unveiling Path Manipulation Techniques to Bypass Windows Security

Varonis Threat Labs discovered a new technique that abuses NTFS junctions to generate infinite file paths, causing EDR products to hang and leave files unscanned.

Dolev Taler

3 min read

Last updated May 19, 2026

Contents

Most security teams think of NTFS junctions and symbolic links as niche file system features. They let one directory point to another, like a shortcut that the OS treats as real. They exist for backward compatibility, storage management, things that rarely come up in a SOC. But they have a property that makes them interesting from an offensive perspective: any user can create them. No admin privileges are required, and no special permissions beyond write access to the target folder.

We discovered that by pointing a junction back at its own parent directory, an attacker can create recursive loops that generate effectively infinite file paths. Tools that try to scan the directory recursively, including EDR products, could follow the loop and never finish. The malicious files sitting in the same folder go unexamined, creating a technique we've dubbed GhostTree.

How NTFS junctions work

Windows file paths are a fundamental part of the operating system, but they come with complexities. While most users interact with simple folder structures, the NTFS file system introduces advanced capabilities like junctions and symbolic links. These features serve legitimate purposes, such as redirecting directories, maintaining backward compatibility with legacy applications that expect files to be in specific locations, or reorganizing files without physically moving them.

A junction is a type of NTFS reparse point that redirects one directory to another. Creating one requires only write permissions and a single command in CMD:

mklink /J C:\LinkToFolder C:\TargetFolder

This creates a junction named "LinkToFolder" that transparently points to "TargetFolder." Any application accessing files through the junction sees the contents of the target directory as if they were local.

One constraint matters here though. Classic Windows systems impose a maximum path length of 260 characters, which is rooted in legacy software and file system design. It is technically possible to extend this limit up to 32,767 characters via a registry key, but many applications and utilities are not equipped to handle paths beyond 260.

Even though NTFS supports longer paths, practical usage remains restricted by existing software. That limit determines how deep the recursive loops can go, and how many unique paths GhostTree can produce.

GhostBranch

GhostBranch is the simpler of the two techniques. Any user can create a folder junction, setting both the junction’s name and destination. Consider this folder structure:

C:\Parent\program.exe

Run the command:

mklink /J C:\Parent\Child C:\Parent

This creates a logical loop by pointing a child folder back to its parent folder. The child directory now contains everything the parent does, including itself. The result is an unlimited number of valid paths to the same file:

C:\Parent\Child\Program.exe<br>C:\Parent\Child\Child\Program.exe<br>C:\Parent\Child\Child\Child\Child\Program.exe

Due to the loop, you can add multiple "Child" folders to the path, and it remains valid. Every one of these paths resolves to the same executable.

GhostTree

GhostTree builds on the GhostBranch concept by creating multiple child folders instead of one. For example, you can create two child folders:

mklink /J C:\Parent\Child1 C:\Parent<br>mklink /J C:\Parent\Child2 C:\Parent

Now every level in the path can branch through either Child1 or Child2, and both loop back to the parent. This allows various paths:

C:\Parent\Child1\Program.exe<br>C:\Parent\Child2\Program.exe<br>C:\Parent\Child1\Child1\Program.exe<br>C:\Parent\Child1\Child2\Program.exe

Path calculations

Both GhostBranch and GhostTree produce paths that can extend to the maximum length Windows allows. The difference is in path diversity, which is where GhostTree’s additional child folder changes things considerably.

GhostBranch

Within Windows, the maximum traditional path length is 260 characters. To maximize the number of directories, one can create single-letter folders (e.g., "P") directly under the C: drive and employ an executable named 1.exe.

Example paths include:

C:\P\1.exe<br>C:\P\P\1.exe<br>C:\P\P\P\...\1.exe

This configuration allows for approximately 126 unique directory structures due to path length limitations.

GhostTree

The GhostTree method introduces two parent folders, "P" and "B", in contrast to the single-folder structure used previously. Examples include:

C:\B\1.exe<br>C:\P\B\1.exe<br>C:\P\B\P\B\...\1.exe

While the maximum depth remains around 126 folders, each level may be...

parent child ghosttree paths path folder

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.