Most security teams consider **NTFS** junctions and symbolic links as niche file system features. These capabilities allow one directory to point to another, functioning like a system-level shortcut. While primarily used for backward compatibility or storage management, their core property—that any user can create them without administrative privileges—makes them a potent tool for attackers. Researchers discovered that by pointing a junction back at its own parent directory, an attacker can create recursive loops that generate an effectively infinite number of file paths. Tools designed to scan directories recursively, including **EDR** products, can follow these loops indefinitely, failing to complete their scans. This leaves malicious files in the same folder unexamined, a technique dubbed **GhostTree**. ## How NTFS Junctions Work **Windows** file paths are fundamental to the operating system, yet they come with inherent complexities. The **NTFS** file system introduces advanced capabilities like junctions and symbolic links, which serve legitimate purposes such as redirecting directories, maintaining backward compatibility, or reorganizing files without physical relocation. A junction is a type of **NTFS** reparse point that redirects one directory to another. Creating one requires only write permissions and a simple command in **CMD**: This command creates a junction named "LinkToFolder" that transparently points to "TargetFolder." Any application accessing files through "LinkToFolder" perceives the contents of the target directory as if they were local. A critical constraint in classic **Windows** systems is the maximum path length of 260 characters, a limitation rooted in legacy software and file system design. While it is technically possible to extend this limit up to 32,767 characters via a registry key, many applications and utilities are not equipped to handle paths beyond 260. This practical restriction dictates the depth of recursive loops and the number of unique paths **GhostTree** can produce. ### GhostBranch **GhostBranch** is the simpler of the two techniques. Any user can create a folder junction, specifying both the junction's name and its destination. Consider this folder structure: `C:\Parent\program.exe` Running the command: `mklink /J C:\Parent\Child C:\Parent` This creates a logical loop by pointing a child folder back to its parent. The child directory now contains everything the parent does, including itself. The result is an unlimited number of valid paths to the same file: `C:\Parent\Child\Program.exe` `C:\Parent\Child\Child\Program.exe` `C:\Parent\Child\Child\Child\Child\Program.exe` Due to the loop, adding multiple "Child" folders to the path remains valid, with every one of these paths resolving to the same executable.  ### GhostTree **GhostTree** builds on the **GhostBranch** concept by creating multiple child folders instead of just one. For example, an attacker can create two child folders: `mklink /J C:\Parent\Child1 C:\Parent` `mklink /J C:\Parent\Child2 C:\Parent` Now, every level in the path can branch through either **Child1** or **Child2**, and both loop back to the parent. This allows for a vast array of paths: `C:\Parent\Child1\Program.exe` `C:\Parent\Child2\Program.exe` `C:\Parent\Child1\Child1\Program.exe` `C:\Parent\Child1\Child2\Program.exe`  ## Path Calculations Both **GhostBranch** and **GhostTree** produce paths that can extend to the maximum length **Windows** allows. The key difference lies in path diversity, where **GhostTree**'s additional child folders significantly amplify the possibilities. ### GhostBranch Within **Windows**, the maximum traditional path length is 260 characters. To maximize the number of directories, one can create single-letter folders (e.g., "P") directly under the **C:** drive and employ an executable named `1.exe`. Example paths include: `C:\P\1.exe` `C:\P\P\1.exe` `C:\P\P\P\...\1.exe` This configuration allows for approximately 126 unique directory structures due to path length limitations. ### GhostTree The **GhostTree** method introduces two parent folders, "P" and "B," contrasting with the single-folder structure used previously. Examples include: `C:\B\1.exe` `C:\P\B\1.exe` `C:\P\B\P\B\...\1.exe` While the maximum depth remains around 126 folders, each level may be named either "P" or "B," effectively creating a binary tree-like structure. With this configuration, each node represents a distinct path, and the total number of possible nodes is calculated as: `2^126 ≈ 8.5 × 10^37` To put this in perspective, this number is vastly larger than the estimated number of grains of sand on Earth (8.5 × 10^18) or even the atoms in the human body (10^27). ## Why This Matters for Defenders With just a few lines of code, an ordinary user can generate an effectively endless number of valid paths, making it impossible for recursive `dir` commands to complete scanning parent directories. The same principle applies to **EDR** products that scan folders for malicious files. An attacker can place malware in the parent directory, set up the **GhostTree** structure, and the containing folder becomes effectively unscannable. The scan hangs, and the malicious files go unexamined. Researchers tested this technique against **Windows Defender** and confirmed its efficacy in evading folder scans. The issue was reported to **Microsoft**, which initially closed the ticket, stating that "bypassing Defender is not crossing a security boundary." However, the issue was subsequently patched. Techniques like **GhostTree** serve as a stark reminder that endpoint scanning is merely one layer of defense. Monitoring file system activity at the data layer can catch what scanners miss, including anomalous junction creation and recursive directory structures that should not exist in normal operations. **Varonis** monitors file access patterns and detects this kind of anomalous activity across file systems and cloud infrastructure.