Skip to content

DET0426 Detection of Direct Volume Access for File System Evasion

Item Value
ID DET0426
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1006 (Direct Volume Access)

Analytics

Windows

AN1193

Processes accessing raw logical drives (e.g., .\C:) to bypass file system protections or directly manipulate data structures.

Log Sources
Data Component Name Channel
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Mutable Elements
Field Description
TargetObjectPattern Regex pattern to detect access to raw disk volumes like \Device\HarddiskVolume or \.\PhysicalDrive*.
ParentProcess Tune for known tools/scripts (e.g., powershell.exe, cmd.exe) often used in misuse scenarios.
TimeWindow Correlate file access and creation across a short time window to avoid false positives.

Network Devices

AN1194

CLI or automated utilities accessing raw device volumes or flash storage directly (e.g., via copy flash:, format, or partition commands).

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:cli command logging
Mutable Elements
Field Description
CommandScope Limit detection to volume-level commands (e.g., format, copy, mount, erase).
DeviceTypeFilter Filter by internal vs. removable volume interactions (e.g., flash, SD card).