Technique on mitre.org

T1006: Direct Volume Access

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.

Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. Adversaries may also use built-in or third-party utilities (such as vssadmin, wbadmin, and esentutl) to create shadow copies or backups of data from system volumes.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of process-start events where command line input contains 'New-Object IO.FileStream ".#{volume}"', where '#{volume}' is the name of the volume.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for the creation of volume shadow copy and backup files, especially unexpected and irregular activity (relative to time, user, etc.).

ID	DS0016	Data source and component	Drive: Drive Access	Description	Monitor handle opens on volumes that are made by processes to determine when they may be directly collecting data from logical drives.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through PowerShell, additional logging of PowerShell scripts is recommended.

ID	Data source and component	Description
DS0022	File: File Creation	Monitor for the creation of volume shadow copy and backup files, especially unexpected and irregular activity (relative to time, user, etc.).
DS0016	Drive: Drive Access	Monitor handle opens on volumes that are made by processes to determine when they may be directly collecting data from logical drives.
DS0017	Command: Command Execution	Monitor executed commands and arguments that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through PowerShell, additional logging of PowerShell scripts is recommended.

Mitigation

ID	M1040	Name	Behavior Prevention on Endpoint	Description	Some endpoint security solutions can be configured to block some types of behaviors related to efforts by an adversary to create backups, such as command execution or preventing API calls to backup related services.

ID	M1018	Name	User Account Management	Description	Ensure only accounts required to configure and manage backups have the privileges to do so. Monitor these accounts for unauthorized backup activity.

ID	Name	Description
M1040	Behavior Prevention on Endpoint	Some endpoint security solutions can be configured to block some types of behaviors related to efforts by an adversary to create backups, such as command execution or preventing API calls to backup related services.
M1018	User Account Management	Ensure only accounts required to configure and manage backups have the privileges to do so. Monitor these accounts for unauthorized backup activity.