A new evasion strategy termed GhostTree is causing significant disruptions in Endpoint Detection and Response (EDR) systems by exploiting NTFS junctions to create endless recursive directory loops.
GhostTree Technique and Its Discovery
GhostTree, identified by Varonis Threat Labs, cleverly traps EDR scanners in self-perpetuating directory loops, resulting in system hangs and neglected malicious files. NTFS junctions act like advanced shortcuts, redirecting applications from one directory to another, and require only standard write permissions to create, making them attractive to threat actors.
Cybercriminals can easily execute the junction linking process using the mklink /J command in the Windows terminal, which connects a new path to a target directory without needing elevated privileges.
Impact on Endpoint Detection and Response
The NTFS file system, while supporting extended paths, encounters limitations due to legacy software constraints that restrict path depth to 260 characters. This limitation affects how far recursive directory loops can extend.
The GhostTree technique amplifies this issue by creating a recursive loop where directories replicate themselves endlessly. By linking multiple child directories back to the same parent, attackers create a vast number of file paths that resemble a complex binary tree, challenging EDR systems to the point of failure.
Security Scanning Challenges
When security tools attempt to scan these manipulated directories, they become trapped in the infinite loops, failing to detect any accompanying malware. This oversight highlights the need for robust defense strategies beyond traditional endpoint scanning.
Varonis researchers demonstrated the effectiveness of this technique against Windows Defender, initially prompting no response from Microsoft. However, after recognizing the gravity of the vulnerability, Microsoft issued a patch to address the recursive scanning flaw.
Mitigation and Future Outlook
Organizations must adopt a defense-in-depth approach to counteract such sophisticated evasion techniques. Monitoring file access events at the data layer can help detect the unusual creation of junctions, while identifying recursive directory patterns can preemptively thwart GhostTree attacks.
As cyber threats evolve, maintaining vigilance and updating security protocols are crucial for protecting systems from advanced evasion tactics like GhostTree. Follow us on Google News, LinkedIn, and X for more on cybersecurity developments.
