Description
Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to perform Lateral Movement, or as a precursor to Direct Volume Access.
On ESXi systems, adversaries may use Hypervisor CLI commands such as esxcli to list storage connected to the host as well as .vmdk files.(Citation: TrendMicro)(Citation: TrendMicro ESXI Ransomware)
On Windows systems, adversaries can use wmic logicaldisk get to find information about local network drives. They can also use Get-PSDrive in PowerShell to retrieve drives and may additionally use Windows API functions such as GetDriveType.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)(Citation: Volexity)
Linux has commands such as parted, lsblk, fdisk, lshw, and df that can list information about disk partitions such as size, type, file system types, and free space. The command diskutil on MacOS can be used to list disks while system_profiler SPStorageDataType can additionally show information such as a volume’s mount path, file system, and the type of drive in the system.
Infrastructure as a Service (IaaS) cloud providers also have commands for storage discovery such as describe volume in AWS, gcloud compute disks list in GCP, and az disk list in Azure.(Citation: AWS docs describe volumes)(Citation: GCP gcloud compute disks list)(Citation: azure az disk)
Platforms
Threat Groups (10)
| ID | Group | Context |
|---|---|---|
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has searched for disk partition and logical volume information.(Citation: ATT TeamTNT Chimaera Septem... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has discovered file system types, drive names, size, and free space on compromised systems.(Cita... |
| G0142 | Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has used a file stealer that can examine system drives, including those other than the C drive.(Cit... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has detected a target system’s system volume information.(Citation: TrendMicro TropicTrooper 2... |
| G0032 | Lazarus Group | A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) collects disk space information and sends it to its C2 server.(... |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) collected the system volume serial number.(Citation: PTSecurity Higaisa 2020)(Citation: Malwarebytes ... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) enumerated all available drives on the victim's machine.(Citation: Cymmetria Patchwork)(Citation: T... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used `fsutil fsinfo drives`, `systeminfo`, and `vssadmin list shadows` for system information inc... |
| G1022 | ToddyCat | [ToddyCat](https://attack.mitre.org/groups/G1022) has collected information on bootable drives including model, vendor, and serial numbers.(Citation: ... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has enumerated drives.(Citation: Talos Kimsuky Nov 2021)(Citation: Securelist Kimsuky Sept 2013)(Cita... |
Associated Software (88)
| ID | Name | Type | Context |
|---|---|---|---|
| S0533 | SLOTHFULMEDIA | Malware | [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) has collected disk information from a victim machine.(Citation: CISA MAR SLOTHFULMEDIA Octobe... |
| S1151 | ZeroCleare | Malware | [ZeroCleare](https://attack.mitre.org/software/S1151) can use the `IOCTL_DISK_GET_DRIVE_GEOMETRY_EX`, `IOCTL_DISK_GET_DRIVE_GEOMETRY`, and `IOCTL_DISK... |
| S1049 | SUGARUSH | Malware | [MoonWind](https://attack.mitre.org/software/S0149) can obtain the number of drives on the victim machine.(Citation: Palo Alto MoonWind March 2017) |
| S0625 | Cuba | Malware | [Cuba](https://attack.mitre.org/software/S0625) can enumerate local drives, disk type, and disk free space.(Citation: McAfee Cuba April 2021) |
| S0253 | RunningRAT | Malware | [RunningRAT](https://attack.mitre.org/software/S0253) gathers logical drives information and volume information.(Citation: McAfee Gold Dragon) |
| S0678 | Torisma | Malware | [Torisma](https://attack.mitre.org/software/S0678) can use `GetlogicalDrives` to get a bitmask of all drives available on a compromised system. It can... |
| S0248 | yty | Malware | [yty](https://attack.mitre.org/software/S0248) gathers the the serial number of the main disk volume.(Citation: ASERT Donot March 2018) |
| S1048 | macOS.OSAMiner | Malware | [macOS.OSAMiner](https://attack.mitre.org/software/S1048) has checked to ensure there is enough disk space using the Unix utility `df`.(Citation: Sent... |
| S0564 | BlackMould | Malware | [BlackMould](https://attack.mitre.org/software/S0564) can enumerate local drives on a compromised host.(Citation: Microsoft GALLIUM December 2019) |
| S0472 | down_new | Malware | [down_new](https://attack.mitre.org/software/S0472) has the ability to identify the system volume information of a compromised host.(Citation: Trend M... |
| S0663 | SysUpdate | Malware | [SysUpdate](https://attack.mitre.org/software/S0663) can collect a system's drive information.(Citation: Trend Micro Iron Tiger April 2021)(Citation: ... |
| S0630 | Nebulae | Malware | [Nebulae](https://attack.mitre.org/software/S0630) can discover logical drive information including the drive type, free space, and volume information... |
| S0607 | KillDisk | Malware | [KillDisk](https://attack.mitre.org/software/S0607) retrieves the hard disk name by calling the <code>CreateFileA to \\.\PHYSICALDRIVE0</code> API.(Ci... |
| S1168 | SampleCheck5000 | Malware | [SampleCheck5000](https://attack.mitre.org/software/S1168) can create unique victim identifiers by using the compromised system’s volume ID.(Citation:... |
| S0351 | Cannon | Malware | [Cannon](https://attack.mitre.org/software/S0351) can gather drive information from the victim's machine.(Citation: Unit42 Cannon Nov 2018)(Citation: ... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has collected a list of all mapped drives on the infected host.(Citation: Eset PlugX Korplug Mustang ... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) uses the Delphi methods <code>Sysutils::DiskSize</code> and <code>GlobalMemoryStatusEx</code> to c... |
| S0267 | FELIXROOT | Malware | [FELIXROOT](https://attack.mitre.org/software/S0267) collects the victim’s volume serial number.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET... |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can enumerate local drive configuration.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR... |
| S1026 | Mongall | Malware | [Mongall](https://attack.mitre.org/software/S1026) can identify drives on compromised hosts.(Citation: SentinelOne Aoqin Dragon June 2022) |
References
- Ankur Saini, Charlie Gardner. (2023, June 28). Charming Kitten Updates POWERSTAR with an InterPlanetary Twist. Retrieved September 25, 2025.
- AWS. (n.d.). describe-volumes. Retrieved October 20, 2025.
- Azure. (n.d.). az disk. Retrieved October 20, 2025.
- Google Cloud. (n.d.). gcloud compute disks list. Retrieved October 20, 2025.
- Junestherry Dela Cruz. (2022, January 24). Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant. Retrieved March 26, 2025.
- Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.
- Mina Naiim. (2021, May 28). DarkSide on Linux: Virtual Machines Targeted. Retrieved March 26, 2025.
Frequently Asked Questions
What is T1680 (Local Storage Discovery)?
T1680 is a MITRE ATT&CK technique named 'Local Storage Discovery'. It belongs to the Discovery tactic(s). Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to...
How can T1680 be detected?
Detection of T1680 (Local Storage Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1680?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1680?
Known threat groups using T1680 include: TeamTNT, Volt Typhoon, Confucius, Tropic Trooper, Lazarus Group, Higaisa, Patchwork, Chimera.