What methods can defenders use to detect backdoor exploitation of Junction Folders and Library Files?

Defenders should monitor registry keys `HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID` and `HKEY_CURRENT_USER\Software\Classes\CLSID` for suspicious DLL paths. For Junction Folders, check file extensions for unexpected CLSID associations (e.g., folder names ending with `.{CLSID}`). For Library Files, scan `.library-ms` files for XML elements referencing unfamiliar or suspicious CLSIDs. Automated scripts from researchers like Jayden Zheng (linked in the article) can help. Additionally, pay attention to user‑space persistence mechanisms since both techniques work with standard user privileges. For more on auditing access controls, refer to Penetration Techniques - Access Control List in Windows.