Direct Volume Access

Created the Tuesday 31 January 2023. Updated 1 year, 1 month ago.

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools.

Utilities, such as NinjaCopy, exist to perform these actions in PowerShell.

Technique Identifier

T1006

Technique Tags

Defense Evasion bypass file action control bypass file system monitoring direct access to logical volumes NinjaCopy

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Direct Volume Access, Technique T1006 - Enterprise | MITRE ATT&CK®