A security researcher has introduced a novel proof-of-concept tool, GhostLock, which highlights a significant vulnerability in the Windows file API. This tool demonstrates how attackers can exploit legitimate functionalities to obstruct access to files, whether they are stored locally or on SMB network shares.
Understanding the GhostLock Technique
Developed by Kim Dvash from Israel Aerospace Industries, GhostLock takes advantage of the Windows ‘CreateFileW’ API and its file-sharing modes. The crux of this technique lies in manipulating the ‘dwShareMode’ parameter within the CreateFileW() function, which dictates the level of access other processes have to a file while it remains open.
When a file is accessed with the parameter set to dwShareMode = 0, Windows grants exclusive access to that file, effectively barring any other users or applications from opening it. For instance, the following code snippet illustrates how to open a file named finance.xlsx in exclusive mode:
HANDLE hFile = CreateFileW(
L"\serversharefinance.xlsx",
GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
FILEATTRIBUTENORMAL,
NULL
);
In such cases, any attempts to access the file will trigger a ‘STATUSSHARINGVIOLATION’ error from Windows, indicating that the file is currently locked.
Source: Kim Dvash
The GhostLock tool, now available on GitHub, automates this attack by recursively opening numerous files on SMB shares. While these file handles remain active, any new access attempts will result in sharing violations. Notably, this tool can be executed by standard domain users without the need for elevated privileges, making it a particularly accessible threat.
The situation escalates if an attacker orchestrates the operation from multiple compromised devices simultaneously, continuously reacquiring file handles as previous ones are closed. However, it is important to note that once the associated SMB session is terminated, the GhostLock processes are halted, or if the affected system is rebooted, Windows will automatically close the handles, restoring access to the files.
Disruption Over Destruction
According to Dvash, the primary intent behind this technique is to serve as a disruption attack rather than a destructive one, akin to ransomware. “The impact is disruption-based, not destructive. The parallel to ransomware is the operational downtime window, not data loss,” he explained to BleepingComputer.
This attack resembles a denial-of-service technique, potentially serving as a diversion during intrusions. Attackers could leverage widespread file-access disruptions to distract IT personnel while executing data theft, lateral movement, or other malicious activities elsewhere within the network.
Interestingly, many existing security products and behavioral detection systems are designed to identify mass file writes or encryption operations. In contrast, GhostLock primarily generates a high volume of legitimate file open requests, which makes it less likely to trigger alarms.
As Dvash points out, the only reliable indicator for detecting this attack lies in monitoring the per-session open-file count with ShareAccess set to 0 at the file server layer. This crucial metric resides within storage platform management interfaces, rather than in Windows event logs, EDR telemetry, or network flow data.
To assist IT teams and defenders, Dvash has provided SIEM queries and an NDR detection rule in the GhostLock whitepaper, serving as a valuable template for enhancing detection capabilities.
