Direct Volume Access (T1006)

Tactic: Stealth · Platforms: Network Devices, Windows

The interactive view maps 1 detection strategy, 2 mitigations, 2 threat groups, 1 software entry, 2 campaigns to this technique, alongside D3FEND countermeasures and data-component coverage.

Overview

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.

Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell. Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and esentutl) to create shadow copies or backups of data from system volumes.

Explore