EXPLORE

← Back to Explore

T1006

Direct Volume Access

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009) Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Gith...

Network DevicesWindows

8

Detections

2

Sources

2

Threat Actors

BY SOURCE

7elastic1sigma

PROCEDURES (7)

Container2 detections

Auto-extracted: 2 detections for container

Credential1 detections

Auto-extracted: 1 detections for credential

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

THREAT ACTORS (2)

Scattered Spider Volt Typhoon

DETECTIONS (8)

DebugFS Execution Detected via Defend for Containers

File System Debugger Launched Inside a Container

NTDS Dump via Wbadmin

Potential Defense Evasion Via Raw Disk Access By Uncommon Tools

Potential Suspicious DebugFS Root Device Access

PowerShell Invoke-NinjaCopy script

Symbolic Link to Shadow Copy Created

TCC Bypass via Mounted APFS Snapshot Access