atomics/T1006/T1006.md

# T1006 - Direct Volume Access
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1006)
<blockquote>

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)

Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)](#atomic-test-1---read-volume-boot-sector-via-dos-device-path-powershell)


<br/>

## Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)
This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
On success, a hex dump of the first 11 bytes of the volume is displayed.

For a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))):
```
           00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000   EB 52 90 4E 54 46 53 20 20 20 20                 ëR?NTFS
```

**Supported Platforms:** Windows


**auto_generated_guid:** 88f6327e-51ec-4bbf-b2e8-3fea534eab8b


#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| volume | Drive letter of the volume to access | string | C:|


#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
$buffer = New-Object byte[] 11
$handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'
$handle.Read($buffer, 0, $buffer.Length)
$handle.Close()
Format-Hex -InputObject $buffer
```


<br/>
Merge OSCD branch into master (#1273 ) 2020-10-29 22:54:55 -06:00			`# T1006 - Direct Volume Access`
			`## [Description from ATT&CK](https://attack.mitre.org/techniques/T1006)`
Generated docs from job=generate-docs branch=master [ci skip] 2025-02-13 22:03:40 +00:00			`<blockquote>`
Merge OSCD branch into master (#1273 ) 2020-10-29 22:54:55 -06:00
Generated docs from job=generate-docs branch=master [ci skip] 2025-02-13 22:03:40 +00:00			`Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)`

			Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)

			`</blockquote>`
Merge OSCD branch into master (#1273 ) 2020-10-29 22:54:55 -06:00
			`## Atomic Tests`

			`- [Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)](#atomic-test-1---read-volume-boot-sector-via-dos-device-path-powershell)`


			`<br/>`

			`## Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)`
			This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
			`On success, a hex dump of the first 11 bytes of the volume is displayed.`

			`For a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))):`
			```
			`00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F`

			`00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëR?NTFS`
			```
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-06-24 17:04:33 +00:00
Merge OSCD branch into master (#1273 ) 2020-10-29 22:54:55 -06:00			`Supported Platforms: Windows`


Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-06-24 17:04:33 +00:00			`auto_generated_guid: 88f6327e-51ec-4bbf-b2e8-3fea534eab8b`



Merge OSCD branch into master (#1273 ) 2020-10-29 22:54:55 -06:00

			`#### Inputs:`
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-06-24 15:16:54 +00:00			`\| Name \| Description \| Type \| Default Value \|`
Merge OSCD branch into master (#1273 ) 2020-10-29 22:54:55 -06:00			`\|------\|-------------\|------\|---------------\|`
Generated docs from job=generate-docs branch=master [ci skip] 2023-02-13 23:11:19 +00:00			`\| volume \| Drive letter of the volume to access \| string \| C:\|`
Merge OSCD branch into master (#1273 ) 2020-10-29 22:54:55 -06:00

			#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)


			```powershell
			`$buffer = New-Object byte[] 11`
			`$handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'`
			`$handle.Read($buffer, 0, $buffer.Length)`
			`$handle.Close()`
			`Format-Hex -InputObject $buffer`
			```






			`<br/>`