GhostTree Attack Disrupts EDR Tools, Leaving Files Unscanned
Severity: High (Score: 63.0)
Sources: Cybersecuritynews, Gbhackers
Published: · Updated:
Keywords: ghosttree, attack, tools, hang, files, unscanned, technique
Severity indicators: attack tools
Summary
The GhostTree attack technique, disclosed by Varonis Threat Labs, exploits NTFS junctions to create recursive directory structures that cause Endpoint Detection and Response (EDR) tools to hang. This evasion method leads to unscanned files on Windows systems, allowing malicious payloads to bypass detection. The attack has raised significant concerns among cybersecurity professionals due to its potential to undermine security measures. Currently, there are no known patches or mitigations available to address this vulnerability. Organizations using EDR tools are advised to monitor their systems closely for unusual behavior. The full scope of the impact remains unclear, but the technique poses a serious risk to endpoint security. As of now, no specific CVEs have been associated with this attack. Key Points: • GhostTree exploits NTFS junctions to create recursive loops, causing EDR tools to hang. • The attack leaves malicious files unscanned on Windows systems, increasing security risks. • No patches or mitigations are currently available for this newly disclosed attack technique.
Detailed Analysis
**Impact** EDR tools on Windows systems are affected globally, as the attack exploits NTFS junctions to cause security scanners to hang indefinitely. This results in files remaining unscanned, increasing the risk of undetected malware execution and data compromise. The disruption impacts organizations relying on EDR solutions for endpoint security, potentially affecting sectors with high dependency on Windows environments. No specific numbers or geographic regions were provided. **Technical Details** The attack vector involves abusing NTFS junctions to create recursive directory loops that trap EDR scanners in infinite paths, causing them to hang. This technique was discovered by Varonis Threat Labs and targets the file scanning stage of the kill chain by exploiting filesystem behavior rather than software vulnerabilities or CVEs. No malware or additional tools were mentioned, nor were any IOCs or infrastructure details provided. **Recommended Response** Defenders should monitor for unusual directory structures involving NTFS junctions and implement detection rules to identify recursive junction loops. EDR vendors should update their scanning logic to handle or bypass recursive junctions safely. In the absence of patches or specific mitigations, organizations should increase monitoring of endpoint scan failures and review logs for hanging processes related to file scanning.
Source articles (2)
- New GhostTree Attack Causes EDR Tools to Hang, Leaving Files Unscanned — Gbhackers · 2026-05-21
A newly disclosed attack technique dubbed “GhostTree” is raising concerns among defenders after researchers demonstrated how it can disrupt endpoint detection and response (EDR) tools and bypass file… - New GhostTree Attack Causing EDR Products to Hang and Leave Files Unscanned — Cybersecuritynews · 2026-05-21
A novel evasion technique called GhostTree, which exploits NTFS junctions to create recursive directory loops. Uncovered by Varonis Threat Labs, this method traps Endpoint Detection and Response (EDR)…
Timeline
- 2026-05-21 — GhostTree attack technique disclosed: Varonis Threat Labs revealed the GhostTree attack, which disrupts EDR tools by exploiting NTFS junctions.
- 2026-05-21 — Cybersecurity community alerted: The cybersecurity community has been informed about the GhostTree attack's potential to bypass file scanning mechanisms.