Direct Volume Access

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. [1]

Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. [2]

ID: T1006
Sub-techniques:  No sub-techniques
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: Administrator
Defense Bypassed: File monitoring, File system access controls
Version: 2.0
Created: 31 May 2017
Last Modified: 09 February 2021

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0016 Drive Drive Access

Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. [2]

Monitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through PowerShell, additional logging of PowerShell scripts is recommended.

References