GhostLock CreateFileW share-mode file-locking technique
Technical Analysis
Summary
Hide ▲
Show ▼
GhostLock exposes a file-locking technique that abuses Windows CreateFileW to deny access to files on local systems and SMB shares. Because the method relies on legitimate exclusive opens, it can trigger STATUS_SHARING_VIOLATION errors while avoiding the write-and-encrypt signals many defenses watch for. The result is a disruption-focused tactic that can mask other malicious activity in an environment.
Related Happenings
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical Analysis
H score23
First: 16.06.2026 17:17
Last: 16.06.2026 17:17
Sources 1
About this happening:
**GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical AnalysisAbout this happening: **GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...
Windows search URI handler NTLMv2 hash disclosure security flaw (CVE-2026-33829)
Vulnerability
H score24
First: 03.06.2026 13:18
Last: 03.06.2026 13:18
Sources 1
About this happening:
**Windows search: URI handler** has an **unpatched NTLMv2 hash disclosure flaw** that can let an attacker capture a user's Net-NTLMv2 hash through a crafted `search:` link. The we...
Windows search URI handler NTLMv2 hash disclosure security flaw (CVE-2026-33829)
VulnerabilityAbout this happening: **Windows search: URI handler** has an **unpatched NTLMv2 hash disclosure flaw** that can let an attacker capture a user's Net-NTLMv2 hash through a crafted `search:` link. The we...
Timeline
-
12.05.2026 01:02 2 articles · 1mo ago
GhostLock proof-of-concept release
Initial DisclosureKim Dvash of Israel Aerospace Industries released GhostLock, a proof-of-concept tool that uses Windows CreateFileW and dwShareMode = 0 to open files with exclusive access on local disks and SMB network shares, causing STATUS_SHARING_VIOLATION errors for other users and applications. The technique can be run by standard domain users without elevated privileges, is described as disruption-based rather than destructive, and is less visible to tools that focus on mass file writes or encryption; the most reliable observable is a per-session open-file count with ShareAccess = 0 at the file server layer.
Show sources
- New GhostLock tool abuses Windows API to block file access — www.bleepingcomputer.com — 12.05.2026 01:02
- New GhostLock tool abuses Windows API to block file access — www.bleepingcomputer.com — 12.05.2026 01:02