I came across an interesting NTFS behavior where adding a trailing space in a Windows directory path creates a “ghost” folder that Explorer and most tools can’t display or access normally.
Attackers can abuse this to drop files inside what appears to be the real System32 directory, making the content extremely hard to notice.
I wrote a short breakdown with examples and behavior analysis.
I came across an interesting NTFS behavior where adding a trailing space in a Windows directory path creates a “ghost” folder that Explorer and most tools can’t display or access normally.
Attackers can abuse this to drop files inside what appears to be the real System32 directory, making the content extremely hard to notice.
I wrote a short breakdown with examples and behavior analysis.
At least, my Cygwin quickly complain there is sth wrong:
Still, ls work if test123 is shadowed. But at least, you see it :)