[T1006 ] Direct Volume Access – Adversaries directly access logical volumes to read or write raw file system structures, bypassing standard file access controls and monitoring; defenders must monitor drive handle activity, process commands, and PowerShell logging to detect misuse. #DirectVolumeAccess #DefenseEvasion
Keypoints
- Direct volume access bypasses file-level controls by reading raw disk structures, allowing adversaries to access data without triggering standard file auditing.
- Windows permits programs to open logical volumes directly, enabling low-level operations that can read or reconstruct files from file system metadata.
- Utilities like NinjaCopy and legitimate tools (vssadmin, wbadmin, esentutl) can be abused to create shadow copies or copy raw data, aiding stealthy exfiltration.
- Detection focuses on monitoring drive handle opens, process command lines, PowerShell script activity, and unusual volume access patterns.
- Operational defenses include enabling detailed PowerShell and Sysmon logging, restricting privileged tool use, and alerting on unexpected access to .PhysicalDrive or .C: handles.
Description:
- Like a thief who lifts a floorboard to access hidden valuables without opening the locked doors, direct volume access lets attackers get data beneath normal protections.
- The technique opens logical volumes directly to read and write file system structures, enabling raw file recovery or copying while bypassing Windows file access controls and file-system monitoring, which makes data theft and tampering stealthier and harder to detect.
Detection:
- Log and alert on handle opens to volume device paths (examples: .PhysicalDrive*, .C:, ?Volume{*}) using Sysmon (Event ID 11/22) or kernel auditing.
- Monitor process command lines and parent-child relationships for known utilities (NinjaCopy, vssadmin, wbadmin, esentutl) and suspicious flags indicating shadow copy or raw-copy operations.
- Enable and collect detailed PowerShell Module, ScriptBlock, and Transcription logging; alert on encoded or obfuscated commands that reference volume access or shadow copy creation.
- Instrument Drive Access and File Creation data sources in EDR to detect unexpected large reads from raw volumes or creation of backup/restore artifacts outside normal maintenance windows.
- Watch backup and shadow copy creation events in application and system logs; correlate with user context and scheduled jobs to reduce false positives.
- Use integrity monitoring to detect unusual changes to volume metadata or MFT-like structures and flag processes that open exclusive raw write handles to volumes.
- Harden and restrict use of administrative utilities through application control, privileged access management, and whitelisting; verify alerts with forensic collection (memory, handle lists) to confirm raw volume access.
Tactics:
Defense Evasion
Platforms:
Network Devices, Windows
Data Sources:
Command: Command Execution, Drive: Drive Access, File: File Creation
Relationship Citations:
(Citation: Cary Esentutl),(Citation: LOLBAS Esentutl),(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024),(Citation: Nearest Neighbor Volexity),(Citation: MSTIC Octo Tempest Operations October 2023),
Read More: https://attack.mitre.org/techniques/T1006