A Varonis study describes a technique called GhostTree that allows files and directories in NTFS to be hidden by manipulating directory index structures ($I30). Instead of directly modifying MFT records, an attacker alters index entry structures, causing a desynchronization between the logical view of the directory and the actual state of the file system.

As a result, standard Windows tools, including File Explorer and system APIs, do not display these 

GhostTree: A technique for bypassing antivirus protection through NTFS internals