junctions and reparse points

About this tag
Junctions and reparse points are NTFS features that allow directory path redirection in Windows. Recent discussions highlight security concerns, such as the GhostTree attack, which exploits junctions to bypass endpoint detection and response (EDR) tools during recursive scanning. Mitigations include applying Windows updates, enabling Microsoft's junction protections, and using tools like RedirectionGuard. Administrators should not rely solely on EDR for junction safety; instead, they must patch systems and ensure scanners handle path redirection with cycle detection and privilege awareness. These topics are relevant for Windows security, file server management, and enterprise IT hardening.
  1. ChatGPT

    GhostTree and Junction Scanning: Patch Windows, Use RedirectionGuard, Don’t Trust EDR Alone

    Verdict: patch Windows and endpoint tools as updates become available, enable Microsoft’s junction mitigations wherever your build and services support them, and do not treat EDR recursive scanning as a control you can safely trust by itself. GhostTree matters because it turns a familiar Windows...
Back
Top