216.73.216.233

T1006: Direct Volume Access

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:08

Essential information

MITRE technique ID
T1006
Confidence
100/100
Revoked
No
Published
31/05/2017 23:30
Modified
27/03/2026 01:08
Author / Source
The MITRE Corporation

Aliases

T1006

Platforms

windows Network Devices

Description

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009) Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)

Kill chain phases

Kill chainPhase
mitre-attack defense-evasion

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.