Volume

Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives[1][2][3]

ID: DS0034
Platforms: IaaS, Linux, Windows, macOS
Collection Layers: Cloud Control Plane, Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 17 November 2024

Data Components

Volume: Volume Creation

The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.

Data Collection Measures:

  • Cloud-Based Logging & Monitoring
    • AWS CloudTrail
      • CreateVolume – Logs the creation of new Amazon Elastic Block Store (EBS) volumes.
      • RunInstances – Can be correlated to detect automatic volume provisioning.
    • Azure Monitor & Log Analytics
      • Microsoft.Compute/disks/write – Captures creation of new managed/unmanaged disks.
      • Microsoft.Storage/storageAccounts/write – Detects creation of new Azure Blob Storage volumes.
    • Google Cloud Logging (GCP)
      • compute.disks.insert – Tracks new persistent disk creation.
      • compute.instances.attachDisk – Logs attachment of a volume to a running VM.
    • OpenStack Logs
      • volume.create – Captures new storage volume provisioning.
      • cinder.volume.create – Logs OpenStack Cinder block storage creation.
  • Host-Based & SIEM Detection
    • Linux/macOS System Logs
      • /var/log/syslog & /var/log/messages – Detects new mount points or attached storage.
      • dmesg | grep "new disk" – Identifies kernel messages for volume attachment.
      • AuditD: Tracks mkfs (filesystem creation) for new volume provisioning.
    • Windows Event Logs
      • Event ID 1006 (Storage Management Events) – Captures disk volume creation.
      • Event ID 5145 (Object Access: File Share) – Detects access to newly created storage shares.

Volume: Volume Creation

The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.

Data Collection Measures:

  • Cloud-Based Logging & Monitoring
    • AWS CloudTrail
      • CreateVolume – Logs the creation of new Amazon Elastic Block Store (EBS) volumes.
      • RunInstances – Can be correlated to detect automatic volume provisioning.
    • Azure Monitor & Log Analytics
      • Microsoft.Compute/disks/write – Captures creation of new managed/unmanaged disks.
      • Microsoft.Storage/storageAccounts/write – Detects creation of new Azure Blob Storage volumes.
    • Google Cloud Logging (GCP)
      • compute.disks.insert – Tracks new persistent disk creation.
      • compute.instances.attachDisk – Logs attachment of a volume to a running VM.
    • OpenStack Logs
      • volume.create – Captures new storage volume provisioning.
      • cinder.volume.create – Logs OpenStack Cinder block storage creation.
  • Host-Based & SIEM Detection
    • Linux/macOS System Logs
      • /var/log/syslog & /var/log/messages – Detects new mount points or attached storage.
      • dmesg | grep "new disk" – Identifies kernel messages for volume attachment.
      • AuditD: Tracks mkfs (filesystem creation) for new volume provisioning.
    • Windows Event Logs
      • Event ID 1006 (Storage Management Events) – Captures disk volume creation.
      • Event ID 5145 (Object Access: File Share) – Detects access to newly created storage shares.
Domain ID Name Detects
Enterprise T1578 Modify Cloud Compute Infrastructure

Monitor for the unexpected creation or presence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

Volume: Volume Deletion

The removal of a cloud-based or on-premise block storage volume. This action permanently deletes the allocated storage and may result in data loss if not backed up.

Data Collection Measures:

  • Cloud Logging & APIs
    • AWS CloudTrail Logs
      • eventName: DeleteVolume (tracks volume deletions)
    • Azure Monitor Logs
      • operationName: Microsoft.Compute/disks/delete
      • status: Success | Failure (flag unauthorized delete attempts)
    • Google Cloud Audit Logs
      • protoPayload.methodName: "v1.compute.disks.delete"
      • authenticationInfo.principalEmail (identifies the user deleting the volume)
  • System & Host-Based Logging
    • Linux & macOS Logs:
      • /var/log/syslog or /var/log/messages for volume detach/deletion actions
    • Windows Event Logs:
      • Event ID 98 (Storage Class Memory)
      • Event ID 225 (Volume Removal Detected)
      • Event ID 12 (Disk Removal Notification)

Volume: Volume Deletion

The removal of a cloud-based or on-premise block storage volume. This action permanently deletes the allocated storage and may result in data loss if not backed up.

Data Collection Measures:

  • Cloud Logging & APIs
    • AWS CloudTrail Logs
      • eventName: DeleteVolume (tracks volume deletions)
    • Azure Monitor Logs
      • operationName: Microsoft.Compute/disks/delete
      • status: Success | Failure (flag unauthorized delete attempts)
    • Google Cloud Audit Logs
      • protoPayload.methodName: "v1.compute.disks.delete"
      • authenticationInfo.principalEmail (identifies the user deleting the volume)
  • System & Host-Based Logging
    • Linux & macOS Logs:
      • /var/log/syslog or /var/log/messages for volume detach/deletion actions
    • Windows Event Logs:
      • Event ID 98 (Storage Class Memory)
      • Event ID 225 (Volume Removal Detected)
      • Event ID 12 (Disk Removal Notification)
Domain ID Name Detects
Enterprise T1485 Data Destruction

Monitor for unexpected deletion of a cloud volume (ex: AWS DeleteVolume)

Enterprise T1578 Modify Cloud Compute Infrastructure

Monitor for the unexpected deletion or absence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

Volume: Volume Enumeration

An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)

Volume: Volume Enumeration

An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)

Domain ID Name Detects
Enterprise T1580 Cloud Infrastructure Discovery

Monitor cloud logs for API calls and other potentially unusual activity related to block object storage enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Volume: Volume Metadata

Contextual data about a cloud volume and activity around it, such as id, type, state, and size

Volume: Volume Metadata

Contextual data about a cloud volume and activity around it, such as id, type, state, and size

Domain ID Name Detects
Enterprise T1578 Modify Cloud Compute Infrastructure

Periodically baseline cloud block storage volumes to identify malicious modifications or additions.

Volume: Volume Modification

Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)

Volume: Volume Modification

Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)

Domain ID Name Detects
Enterprise T1611 Escape to Host

Monitor cluster-level (Kubernetes) data and events associated with changing containers' volume configurations.

Enterprise T1578 Modify Cloud Compute Infrastructure

Monitor for the unexpected changes to cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

References