New GhostLock tool abuses Windows API to block file access
Summary
A new proof-of-concept tool called GhostLock has been released, demonstrating how attackers can abuse a legitimate Windows API to block access to local or network-shared files. This technique allows for the disruption of file operations, potentially impacting system stability and availability.
IFF Assessment
FOE
This tool demonstrates a new method for attackers to deny access to critical files, which is detrimental to defenders.
Defender Context
Defenders should be aware of this new technique that leverages legitimate Windows APIs for malicious purposes. Monitoring for unusual file access denial patterns and unauthorized use of file system APIs could help detect such attacks.