T1006 Direct Volume Access
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. 2
Utilities, such as NinjaCopy, exist to perform these actions in PowerShell.1 Adversaries may also use built-in or third-party utilities (such as vssadmin, wbadmin, and esentutl) to create shadow copies or backups of data from system volumes.3
| Item | Value |
|---|---|
| ID | T1006 |
| Sub-techniques | |
| Tactics | TA0005 |
| Platforms | Network Devices, Windows |
| Version | 2.3 |
| Created | 31 May 2017 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| C0051 | APT28 Nearest Neighbor Campaign | During APT28 Nearest Neighbor Campaign, APT28 accessed volume shadow copies through executing vssadmin in order to dump the NTDS.dit file.7 |
| S0404 | esentutl | esentutl can use the Volume Shadow Copy service to copy locked files such as ntds.dit.34 |
| G1015 | Scattered Spider | Scattered Spider has created volume shadow copies of virtual domain controller disks to extract the NTDS.dit file.5 |
| G1017 | Volt Typhoon | |
Volt Typhoon has executed the Windows-native vssadmin command to create volume shadow copies.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint | Some endpoint security solutions can be configured to block some types of behaviors related to efforts by an adversary to create backups, such as command execution or preventing API calls to backup related services. |
| M1018 | User Account Management | Ensure only accounts required to configure and manage backups have the privileges to do so. Monitor these accounts for unauthorized backup activity. |
References
-
Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016. ↩
-
Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014. ↩
-
LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019. ↩↩
-
Cary, M. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019. ↩
-
Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024. ↩
-
CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. ↩
-
Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025. ↩