Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. [1]
Utilities, such as NinjaCopy, exist to perform these actions in PowerShell.[2] Adversaries may also use built-in or third-party utilities (such as vssadmin, wbadmin, and esentutl) to create shadow copies or backups of data from system volumes.[3]
| ID | Name | Description |
|---|---|---|
| C0051 | APT28 Nearest Neighbor Campaign |
During APT28 Nearest Neighbor Campaign, APT28 accessed volume shadow copies through executing |
| S0404 | esentutl |
esentutl can use the Volume Shadow Copy service to copy locked files such as |
| G1015 | Scattered Spider |
Scattered Spider has created volume shadow copies of virtual domain controller disks to extract the |
| G1017 | Volt Typhoon |
Volt Typhoon has executed the Windows-native |
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint |
Some endpoint security solutions can be configured to block some types of behaviors related to efforts by an adversary to create backups, such as command execution or preventing API calls to backup related services. |
| M1018 | User Account Management |
Ensure only accounts required to configure and manage backups have the privileges to do so. Monitor these accounts for unauthorized backup activity. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0426 | Detection of Direct Volume Access for File System Evasion | AN1193 |
Processes accessing raw logical drives (e.g., .\C:) to bypass file system protections or directly manipulate data structures. |
| AN1194 |
CLI or automated utilities accessing raw device volumes or flash storage directly (e.g., via |