Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

File System Logical Offsets

Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. [1]

Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. [2]

ID: T1006

Tactic: Defense Evasion

Platform:  Windows

Permissions Required:  Administrator

Data Sources:  API monitoring

Defense Bypassed:  File monitoring, File system access controls

Version: 1.0

Mitigation

Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting [3] tools, like AppLocker, [4] [5] or Software Restriction Policies [6] where appropriate. [7]

Detection

Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. [2]

Monitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through PowerShell, additional logging of PowerShell scripts is recommended.

References