1. Home
  2. Techniques
  3. Enterprise
  4. Direct Volume Access

Direct Volume Access

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. [1]

Utilities, such as NinjaCopy, exist to perform these actions in PowerShell.[2] Adversaries may also use built-in or third-party utilities (such as vssadmin, wbadmin, and esentutl) to create shadow copies or backups of data from system volumes.[3]

ID: T1006
Sub-techniques:  No sub-techniques
Tactic: Defense Evasion
Platforms: Network, Windows
Defense Bypassed: File monitoring, File system access controls
Contributors: Tom Simpson, CrowdStrike Falcon OverWatch
Version: 2.2
Created: 31 May 2017
Last Modified: 16 April 2024
Version Permalink

Procedure Examples

ID Name Description
S0404 esentutl

esentutl can use the Volume Shadow Copy service to copy locked files such as ntds.dit.[3][4]
G1015 Scattered Spider

Scattered Spider has created volume shadow copies of virtual domain controller disks to extract the NTDS.dit file.[5]
G1017 Volt Typhoon

Volt Typhoon has executed the Windows-native vssadmin command to create volume shadow copies.[6]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

Some endpoint security solutions can be configured to block some types of behaviors related to efforts by an adversary to create backups, such as command execution or preventing API calls to backup related services.
M1018 User Account Management

Ensure only accounts required to configure and manage backups have the privileges to do so. Monitor these accounts for unauthorized backup activity.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through PowerShell, additional logging of PowerShell scripts is recommended.
DS0016 Drive Drive Access

Monitor handle opens on volumes that are made by processes to determine when they may be directly collecting data from logical drives. [2]
DS0022 File File Creation

Monitor for the creation of volume shadow copy and backup files, especially unexpected and irregular activity (relative to time, user, etc.).

References

  1. Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014.
  2. Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016.
  3. LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
  1. Cary, M. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019.
  2. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  3. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.