Security researchers have unveiled a new attack technique, dubbed GhostTree, that weaponizes NTFS junction points and reparse points to completely bypass endpoint detection and response (EDR) systems. The method allows malware to execute and persist on fully patched Windows systems without triggering alarms, even when EDR platforms perform recursive directory scanning. The discovery underscores a harsh reality for defenders: EDR alone is not enough, and failing to enable built-in Windows mitigations like RedirectionGuard leaves a gaping blind spot.
GhostTree was demonstrated publicly by independent researcher Or Yair, who detailed how an attacker can create a directory junction that points to a non-existent or intentionally empty target, then manipulate the file system to hide a malicious payload behind that junction. Most EDR solutions, including those from leading vendors, rely on file system minifilter drivers that inspect operations in real time. However, because reparse points are resolved by the I/O manager only after the minifilter has processed the operation, the EDR sees only the empty target and never the actual malicious file.
The technique exploits a fundamental architecture gap: Windows processes reparse points in two stages. When a file operation occurs, the minifilter callback first sees the original path. If the path is a reparse point, the system then retrieves the target and issues a new I/O request. Many EDR drivers optimize their scanning logic by trusting the initial path, failing to re-scan the resolved target. This is especially problematic for directory junctions, which are a type of reparse point that links one local directory to another, even across volumes.
In practice, an attacker could drop a malicious DLL into a hidden directory, create a junction that redirects C:\Windows\System32\legit_app\plugins to that hidden directory, and then load the application. The EDR minifilter sees the junction as empty or safe because it checks the original path without following the reparse point. The malicious DLL loads into the process without ever being scanned, giving the attacker arbitrary code execution in the context of a trusted process.
This is not a theoretical exercise. Yair demonstrated the GhostTree technique against multiple top-tier EDR products and found that recursive scanning settings – often touted as a defense against such bypasses – failed to close the gap. Recursive scanning simply traverses all subdirectories of a parent directory, but if the junction points to a location that is not a subdirectory, or if the EDR does not resolve reparse points during traversal, the scanner remains blind. Furthermore, some EDRs only recursively scan when a process is created, meaning dynamically loaded modules after process initialization are completely ignored.
The response from Microsoft and the security community is clear: patch Windows and endpoint tools as updates become available, enable junction mitigations wherever your build and services support them, and do not treat EDR recursive scanning as a silver bullet. Microsoft has provided two critical defenses: FSCTL_SET_REPARSE_POINT restrictions and the RedirectionGuard feature.
RedirectionGuard, introduced in Windows 10 version 1903 and Server 2019, prevents a non-privileged user from creating a directory junction that redirects to a location they cannot access or that has stricter security. This kills the most common GhostTree scenario where an attacker creates a junction from a writable user directory to a protected system directory. However, RedirectionGuard is not enabled by default on all builds and may be incompatible with some legacy applications that legitimately use junctions. Administrators must weigh compatibility against security, but the default stance for any security-conscious environment should be to enable it.
Additionally, Microsoft’s advisory on junction-based attacks (associated with CVE-2023-29010 and CVE-2023-33569) recommends developers use the OPEN_REPARSE_POINT flag when scanning files to force the system to open the reparse point itself rather than the target. However, this is a per-application setting, not a system-wide guard. Microsoft’s own Defender antivirus and Defender for Endpoint have been updated to resolve reparse points correctly, but third-party EDRs have been slower to adopt these flags. That adoption gap creates a window of vulnerability.
For Windows administrators, the immediate steps are clear. First, apply the latest cumulative updates from Microsoft. The July 2023 security updates tightened permissions around reparse point creation and improved how the Kernel Transaction Manager handles symbolic links, making GhostTree-style attacks harder. Second, enable RedirectionGuard through Group Policy or registry key. On Windows 10 1903 and later, the registry key is HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\RedirectionGuardEnabled (set to 1). On Windows 11, the feature is enabled by default, but verify it is not disabled by a GPO. Third, if using a third-party EDR, demand transparency from the vendor about how they handle reparse point resolution and whether their recursive scanning is truly recursive across junctions.
Testing the effectiveness of your EDR against GhostTree is straightforward. Use the mklink /J command to create a junction from a test directory to an empty folder, then place a known malicious file (like the EICAR test string) behind the junction and attempt to access it through the junction. If the EDR does not alert, you have a blind spot. Some EDRs may claim to detect such activity through behavioral analysis—for example, by monitoring the creation of the junction itself—but skilled attackers can copy legitimate junctions or load them from archives, bypassing behavioral lookouts.
The GhostTree revelation is the latest in a series of attacks that exploit the inherent complexity of NTFS reparse points. Previous incarnations include Process Doppelgänging, DLL hollowing via junctions, and symbolic link redirections to bypass user account control (UAC). What sets GhostTree apart is its silent destruction of the “recursive scan” assumption that many security engineers hold dear. Organizations that have invested heavily in EDR often believe that enabling recursive scanning and setting aggressive scan-on-read policies closes the backdoor. GhostTree proves that belief dangerous.
A deeper dive into the technical mechanics reveals why. NTFS reparse points are a general mechanism for extending the file system. A file or directory can contain a reparse point attribute with a reparse tag and a data buffer. When the I/O manager opens a path, it checks for the reparse point and hands the buffer to the corresponding file system filter or driver identified by the tag. The driver then returns a new path, and the I/O manager re-issues the open request. However, the minifilter that originally intercepted the open call may never see the re-issued request because the context has changed. If the minifilter does not register for post-reparse callbacks or does not explicitly re-scan the resolved path, it misses the true target.
Mitigation at the kernel level is possible. Microsoft has added a flag, FLTFL_OPEN_REPARSE_POINT, to the FltCreateFileEx2 API, which tells the filter manager to open the reparse point itself, not the target. This allows a security driver to inspect the reparse data directly and decide whether to block the operation, log it, or allow it and then register for the target resolution. EDR vendors must adopt this flag and redesign their scanning logic accordingly. The slow pace of adoption is partly due to performance concerns: resolving every reparse point adds overhead, and many legitimate applications and OS components use junctions and symbolic links extensively.
Yet performance cannot be the excuse forever. The GhostTree proof-of-concept is publicly available on GitHub, and its simplicity has transformed it from a niche research topic into a weaponizable tool. Within days of Yair’s presentation at Black Hat, scans by threat intelligence firms detected increased testing of junction-based evasion in the wild. Nation-state actors and ransomware gangs alike have historically been quick to adopt file-system-level evasions. The history of EDR bypasses—from unhooking ntdll.dll to direct system calls—shows that once a technique is public, it becomes part of the standard attacker playbook.
Microsoft, for its part, has accelerated hardening reparse point handling. In Windows 11 22H2 and Server 2022, RedirectionGuard is stronger and covers more scenarios. Moreover, the new Smart App Control feature, while aimed at blocking malicious binaries outright, can also neuter GhostTree if the initial dropper is a non-trusted executable. However, Smart App Control is not a substitute for proper junction mitigation; it is a complementary defense.
Beyond Windows itself, the attack has implications for virtualized and containerized environments. Windows containers often rely on junction points to provide a union file system, and container breakout techniques could leverage GhostTree to escape from a container to the host. Administrators of Kubernetes nodes running Windows containers should audit their container runtime configurations to ensure that volume mounts do not inadvertently expose host directories susceptible to junction redirection.
The response from the EDR vendor community has been mixed. Some have released updates with improved reparse point resolution; others have issued blog posts downplaying the risk, claiming their existing behavioral engines catch the parent process creation anomaly. Independent testing by organizations like AV-Comparatives and SE Labs will be critical to hold vendors accountable. In the interim, enterprises should complement their EDR with the built-in Windows defenses and consider deploying dedicated file integrity monitoring that operates at a lower level than minifilter drivers.
For Microsoft, the GhostTree saga is a reminder that the trust boundary between user mode and the file system minifilter is fragile. The company’s shift toward a zero-trust approach within the operating system—exemplified by features like Credential Guard, Virtualization-Based Security, and now RedirectionGuard—is the right direction. But the default setting remains permissive for backward compatibility. The onus is on administrators to flip the switch.
In conclusion, GhostTree is not a bug; it is a design limitation of the way EDRs interact with the file system. Patching Windows and endpoint tools is necessary but not sufficient. Enabling RedirectionGuard and auditing junction usage across the enterprise are critical steps. Most importantly, the security industry must abandon the illusion that EDR recursive scanning can be trusted alone. As Yair’s research shows, the attacker only needs to be right once, and the defender’s margin for error shrinks with every new reparse point trick.
The road ahead involves continued collaboration between Microsoft, EDR vendors, and the security research community. Responsible disclosure led to patches and guidance before GhostTree became an in-the-wild epidemic. Now the test is whether organizations implement those fixes before the next variant of the technique surfaces. For Windows enthusiasts and IT pros, the message is urgent: patch now, enable RedirectionGuard, and verify your EDR’s stance on reparse points. Your endpoints’ safety depends on it.
For further reading, see Microsoft’s guidance on junction mitigations (MSRC advisory ADV230001), the official documentation on RedirectionGuard, and Yair’s full write-up on GitHub. Additionally, the NSA’s Cybersecurity Information Sheet on event-triggered reparse points provides useful context for network defenders.