Most security teams think of NTFS junctions and symbolic links as niche file system features. They let one directory point to another, like a shortcut that the OS treats as real. They exist for backward compatibility, storage management, things that rarely come up in a SOC. But they have a property that makes them interesting from an offensive perspective: any user can create them.
No admin privileges are required, and no special permissions beyond write access to the target folder.
We discovered that by pointing a junction back at its own parent directory, an attacker can create recursive loops that generate effectively infinite file paths. Tools that try to scan the directory recursively, including EDR products, could follow the loop and never finish.
The malicious files sitting in the same folder go unexamined, creating a technique we've dubbed GhostTree.
How NTFS junctions work
















