Description
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.(Citation: Hakobyan 2009)
Utilities, such as NinjaCopy, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as vssadmin, wbadmin, and esentutl) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)
Platforms
Mitigations (2)
Behavior Prevention on EndpointM1040
Some endpoint security solutions can be configured to block some types of behaviors related to efforts by an adversary to create backups, such as command execution or preventing API calls to backup related services.
User Account ManagementM1018
Ensure only accounts required to configure and manage backups have the privileges to do so. Monitor these accounts for unauthorized backup activity.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has created volume shadow copies of virtual domain controller disks to extract the `NTDS.dit... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has executed the Windows-native `vssadmin` command to create volume shadow copies.(Citation: CI... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0404 | esentutl | Tool | [esentutl](https://attack.mitre.org/software/S0404) can use the Volume Shadow Copy service to copy locked files such as `ntds.dit`.(Citation: LOLBAS E... |
References
- Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016.
- Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014.
- LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
Frequently Asked Questions
What is T1006 (Direct Volume Access)?
T1006 is a MITRE ATT&CK technique named 'Direct Volume Access'. It belongs to the Stealth tactic(s). Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may re...
How can T1006 be detected?
Detection of T1006 (Direct Volume Access) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1006?
There are 2 documented mitigations for T1006. Key mitigations include: Behavior Prevention on Endpoint, User Account Management.
Which threat groups use T1006?
Known threat groups using T1006 include: Scattered Spider, Volt Typhoon.