Recursive NTFS Loops Allow New GhostTree Technique to Disrupt EDR File Scanning

Overview

Researchers from Varonis Threat Labs disclosed a new evasion technique called GhostTree, which abuses NTFS junctions in Windows to disrupt endpoint security scanning and hide malicious files from inspection.

The technique creates recursive directory loops that can trap Endpoint Detection and Response (EDR) products in effectively endless file traversal paths, causing scanning engines to freeze, stall, or skip malicious payloads entirely.

According to the published research, the issue was successfully demonstrated against Microsoft Defender before Microsoft later introduced mitigations addressing the recursive scanning behavior.

How the Technique Works

GhostTree builds on a previously known concept called GhostBranch.

The attack abuses NTFS junctions, a Windows file system feature that acts similarly to advanced directory shortcuts.

Threat actors can create these structures using the built-in Windows command:

mklink /J

Unlike many low-level system modifications, creating NTFS junctions does not require administrative privileges in many scenarios, making the technique attractive for attackers operating with limited access.

The original GhostBranch approach created a recursive loop by linking a child directory back to its parent directory.

GhostTree significantly expands this concept by creating multiple recursive branches simultaneously.

According to Varonis, this generates an exponentially growing directory structure capable of producing enormous numbers of logical file paths pointing to the same files.

As a result:

• security scanners continuously recurse through generated paths
• scanning processes consume excessive resources
• malware files placed within the structure may remain unscanned
• endpoint protection agents may stop responding entirely

Why This Matters

Modern EDR and antivirus platforms rely heavily on recursive file analysis to inspect directory structures and detect malicious payloads.

GhostTree specifically targets this behavior.

Instead of attempting to bypass detection signatures directly, the technique abuses the file system logic itself to exhaust or confuse the scanning engine.

The research highlights several operational concerns:

• the attack can be performed using native Windows functionality
• no kernel exploit is required
• administrative privileges are not always necessary
• malicious payloads can remain adjacent to the recursive structures undetected

This makes the technique particularly relevant for environments where endpoint protection is heavily trusted as the primary defensive layer.

DIAMATIX Perspective

GhostTree is another example of attackers shifting from traditional malware evasion toward infrastructure and logic abuse.

Rather than focusing only on payload obfuscation, threat actors increasingly target:

• scanning logic
• operating system behaviors
• trust relationships
• resource exhaustion scenarios
• defensive blind spots

This type of activity is especially important because it may not initially appear malicious from a signature perspective.

Recursive NTFS structures can resemble legitimate file system operations unless behavioral monitoring and anomaly detection are in place.

Organizations using endpoint-heavy detection strategies should ensure they also maintain:

• behavioral visibility
• file system anomaly monitoring
• process-level telemetry
• layered detection across endpoints and infrastructure

CISO Analysis

This research demonstrates an important operational reality:

Endpoint protection alone is not always sufficient against modern evasion techniques.

Security teams should pay particular attention to:

• abnormal NTFS junction creation
• recursive directory anomalies
• endpoint agents consuming excessive resources
• unexpected scanning failures
• file systems generating excessive traversal activity

The incident also reinforces the importance of defense-in-depth architectures where endpoint detection is combined with:

• centralized telemetry
• network monitoring
• behavioral analytics
• identity visibility
• correlation across multiple detection layers

What This Means for Your Environment

• This type of attack relies on abusing native Windows file system behavior rather than exploiting traditional malware vulnerabilities.
• Detection depends on identifying anomalous recursive directory structures, NTFS junction activity, and endpoint scanning instability.
• Effective response requires layered monitoring, behavioral analysis, and visibility beyond the endpoint agent itself.

Would this type of endpoint evasion be visible inside your current environment?

Can your security operations identify abnormal recursive file system activity before endpoint protection becomes ineffective?

See how advanced endpoint evasion scenarios are analyzed and handled in real operational environments.

Contact DIAMATIX

Trusted · Innovative · Vigilant

Sources

• Varonis Threat Labs research
• Microsoft Security documentation
• Public technical analysis related to GhostTree and GhostBranch techniques
• Windows NTFS junction behavior documentation

This article is based on publicly available threat intelligence and technical research published in May 2026.