ATT&CK v18 has been released! Check out the blog post or changelog for more information.

Volume Creation

The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.

ID: DC0097

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 12 November 2025

Log Sources

Name	Channel
AWS:CloudTrail	CreateVolume
WinEventLog:Microsoft-Windows-VSS	Volume Shadow Copy Creation

ID	Name	Technique Detected
DET0586	Detection of NTDS.dit Credential Dumping from Domain Controllers	T1003.003
DET0308	Detection Strategy for Modify Cloud Compute Infrastructure	T1578