Skip to content

T1006 Direct Volume Access

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. 1

Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. 2

Item Value
ID T1006
Sub-techniques
Tactics TA0005
Platforms Windows
Permissions required Administrator
Version 2.0
Created 31 May 2017
Last Modified 09 February 2021

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0016 Drive Drive Access

References

  1. Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014. 

  2. Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016.