T1006

Direct Volume Access

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes, enabling reads and writes directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls and file system monitoring tools. Utilities such as NinjaCopy (PowerShell), vssadmin, wbadmin, and esentutl can be used to create shadow copies or access locked files (such as ntds.dit, SYSTEM hive, and SAM) directly from disk. Real-world actors including Scattered Spider and Volt Typhoon have leveraged Volume Shadow Copy Service (VSS) to extract credential stores without triggering standard file access controls.

Microsoft Sentinel / Defender

kusto

let DirectVolumePatterns = dynamic([
  "HarddiskVolumeShadowCopy", "GLOBALROOT\\Device\\",
  "\\\\.\\PhysicalDrive", "\\\\.\\HarddiskVolume",
  "\\\\?\\GLOBALROOT", "vssadmin", "diskshadow"
]);
let CredentialTargets = dynamic([
  "ntds.dit", "ntds.jfm", "NTDS.dit",
  "SAM", "SECURITY", "SYSTEM",
  "NTUSER.DAT", "security.bak"
]);
let SuspiciousTools = dynamic([
  "esentutl.exe", "vssadmin.exe", "wbadmin.exe",
  "diskshadow.exe", "ntdsutil.exe"
]);
// Branch 1: Shadow copy creation and manipulation tools
let ShadowCopyOps = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (SuspiciousTools)
| where ProcessCommandLine has_any ("create shadow", "list shadows", "delete shadows",
    "/y ", "/vss", "start backup", "ifm", "activate instance",
    "set context", "add volume", "expose", "HarddiskVolumeShadowCopy", "GLOBALROOT")
| extend DetectionBranch = "ShadowCopyOrVSSToolUsage"
| extend TargetsCredentials = ProcessCommandLine has_any (CredentialTargets);
// Branch 2: Direct volume path access in any process command line
let DirectVolumeOps = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (DirectVolumePatterns)
| where not (FileName in~ ("vssvc.exe", "svchost.exe", "WmiPrvSE.exe"))
| extend DetectionBranch = "DirectVolumePathInCommandLine"
| extend TargetsCredentials = ProcessCommandLine has_any (CredentialTargets);
// Branch 3: PowerShell NinjaCopy or raw disk access
let NinjaCopyOps = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "NinjaCopy", "Invoke-NinjaCopy",
    "GetDriveGeometry", "FSCTL_GET_NTFS_VOLUME_DATA",
    "DeviceIoControl", "CreateFile.*\\\\\\.\\\\Harddisk",
    "PhysicalDrive", "HarddiskVolume"
  )
| extend DetectionBranch = "PowerShellDirectVolumeAccess"
| extend TargetsCredentials = ProcessCommandLine has_any (CredentialTargets);
// Branch 4: File events — reads from shadow copy paths
let ShadowCopyFileAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any ("HarddiskVolumeShadowCopy", "GLOBALROOT\\Device")
| where FileName has_any (CredentialTargets)
| extend DetectionBranch = "CredentialFileReadFromShadowCopy"
| extend TargetsCredentials = true
| project Timestamp, DeviceName, AccountName,
    FileName, FolderPath, InitiatingProcessFileName,
    InitiatingProcessCommandLine, DetectionBranch, TargetsCredentials;
union
  (ShadowCopyOps | project Timestamp, DeviceName, AccountName, FileName,
    ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
    DetectionBranch, TargetsCredentials),
  (DirectVolumeOps | project Timestamp, DeviceName, AccountName, FileName,
    ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
    DetectionBranch, TargetsCredentials),
  (NinjaCopyOps | project Timestamp, DeviceName, AccountName, FileName,
    ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
    DetectionBranch, TargetsCredentials)
| sort by Timestamp desc
| extend RiskScore = case(
    TargetsCredentials == true, "Critical",
    DetectionBranch == "PowerShellDirectVolumeAccess", "High",
    DetectionBranch == "ShadowCopyOrVSSToolUsage", "Medium",
    "Medium"
  )

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution File: File Access Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate backup software (Veeam, Acronis, Windows Server Backup) uses VSS APIs and vssadmin/wbadmin to create and manage shadow copies as part of normal backup jobs — correlate with scheduled backup windows
Database administrators using esentutl for legitimate NTDS or Exchange database maintenance, repair, or integrity checks — verify against change management tickets
Windows built-in System Restore and automatic shadow copy creation triggered by system updates or restore point schedules — check InitiatingProcessFileName for svchost.exe or vssvc.exe as parent
Security and compliance tools (CyberArk, BeyondTrust, Varonis) that enumerate shadow copies during privileged access audits or data classification scans
Forensic and incident response tooling run by authorized responders using disk imaging utilities that access raw volumes

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  (Image="*\\vssadmin.exe" AND (CommandLine="*create shadow*" OR CommandLine="*list shadows*" OR CommandLine="*delete shadow*"))
  OR (Image="*\\esentutl.exe" AND (CommandLine="*HarddiskVolumeShadowCopy*" OR CommandLine="*GLOBALROOT*" OR CommandLine="*/y *" OR CommandLine="*/vss*"))
  OR (Image="*\\diskshadow.exe")
  OR (Image="*\\ntdsutil.exe" AND (CommandLine="*ifm*" OR CommandLine="*activate instance*" OR CommandLine="*ntds*"))
  OR (Image="*\\wbadmin.exe" AND (CommandLine="*start backup*" OR CommandLine="*start recovery*"))
  OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*NinjaCopy*" OR CommandLine="*Invoke-NinjaCopy*" OR CommandLine="*PhysicalDrive*" OR CommandLine="*HarddiskVolumeShadowCopy*" OR CommandLine="*GLOBALROOT*"))
  OR CommandLine="*\\\\.\\PhysicalDrive*"
  OR CommandLine="*GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*"
)
| eval ToolCategory=case(
    match(Image, "vssadmin\.exe"), "ShadowCopyManagement",
    match(Image, "esentutl\.exe"), "EsentutlVSS",
    match(Image, "diskshadow\.exe"), "DiskShadow",
    match(Image, "ntdsutil\.exe"), "NtdsutilIFM",
    match(Image, "wbadmin\.exe"), "WindowsBackup",
    (match(Image, "powershell\.exe") OR match(Image, "pwsh\.exe")), "PowerShellVolumeAccess",
    true(), "DirectVolumeAccess"
  )
| eval TargetsCredentials=if(
    match(lower(CommandLine), "(ntds\.dit|ntds\.jfm|\bsam\b|\bsecurity\b|\bsystem\b|ntuser\.dat)"),
    1, 0
  )
| eval RiskScore=case(
    TargetsCredentials=1, "Critical",
    ToolCategory="PowerShellVolumeAccess", "High",
    ToolCategory="EsentutlVSS", "High",
    ToolCategory="NtdsutilIFM", "High",
    true(), "Medium"
  )
| eval CommandLine=CommandLine
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
         ToolCategory, TargetsCredentials, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate backup software (Veeam, Acronis, Windows Server Backup) uses vssadmin and wbadmin for scheduled backup jobs — correlate with known backup windows and parent processes
Database administrators running esentutl for NTDS or Exchange database maintenance and integrity checks — validate against change management records
IT provisioning and domain replication tools (DFS-R, Active Directory replication) that interact with VSS for consistent snapshots
Security scanning and DLP tools that enumerate shadow copies for data classification or compliance purposes
Authorized penetration testers or red team operators performing credential extraction simulations — verify authorization documentation

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    (
      (
        process.name in~ ("vssadmin.exe", "esentutl.exe", "diskshadow.exe", "ntdsutil.exe", "wbadmin.exe") and
        process.command_line like~ ("*create shadow*", "*list shadow*", "*delete shadow*",
          "*HarddiskVolumeShadowCopy*", "*GLOBALROOT*", "*ifm*", "*activate instance*",
          "*start backup*", "*start recovery*", "*/y *", "*/vss*")
      ) or
      (
        process.name in~ ("powershell.exe", "pwsh.exe") and
        process.command_line like~ ("*NinjaCopy*", "*Invoke-NinjaCopy*", "*PhysicalDrive*",
          "*HarddiskVolumeShadowCopy*", "*GLOBALROOT*", "*GetDriveGeometry*",
          "*FSCTL_GET_NTFS_VOLUME_DATA*", "*DeviceIoControl*")
      ) or
      (
        process.command_line like~ ("*PhysicalDrive*", "*HarddiskVolumeShadowCopy*", "*HarddiskVolume*") and
        not process.name in~ ("vssvc.exe", "svchost.exe", "wmiprvse.exe")
      )
    )
  ) or
  (
    event.category == "file" and
    file.path like~ ("*HarddiskVolumeShadowCopy*", "*GLOBALROOT*") and
    file.name in~ ("ntds.dit", "ntds.jfm", "sam", "security", "system", "ntuser.dat", "security.bak")
  )

critical severity high confidence

Data Sources

Elastic Endpoint Security agent (process and file event telemetry) Winlogbeat with Sysmon module (Event ID 1, Event ID 11) Elastic Agent Windows integration with command-line auditing

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-windows.sysmon_operational-*

False Positives

Enterprise backup software (Veeam, Acronis, Windows Server Backup, Azure Backup agent) that invokes vssadmin.exe or wbadmin.exe on scheduled backup jobs — particularly noisy on dedicated backup servers and domain controllers with regular snapshot schedules
IT administrators performing authorized Active Directory maintenance using ntdsutil.exe with IFM arguments for domain controller promotion media creation, or esentutl.exe for offline NTDS defragmentation
Endpoint detection and response platforms or forensic tools that enumerate shadow copies, scan VSS snapshots for malware, or perform integrity checks using raw volume access as part of their normal sensor activity

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceHost,
  username AS UserName,
  "ProcessImage" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentProcess,
  CASE
    WHEN LOWER("CommandLine") LIKE '%ntds.dit%'
      OR LOWER("CommandLine") LIKE '%ntds.jfm%'
      OR LOWER("CommandLine") LIKE '%ntuser.dat%'
      OR LOWER("CommandLine") LIKE '%security.bak%'
      THEN 'Critical'
    WHEN "ProcessImage" LIKE '%powershell.exe'
      OR "ProcessImage" LIKE '%pwsh.exe'
      OR "ProcessImage" LIKE '%ntdsutil.exe'
      OR "ProcessImage" LIKE '%esentutl.exe'
      THEN 'High'
    ELSE 'Medium'
  END AS RiskScore,
  CASE
    WHEN "ProcessImage" LIKE '%vssadmin.exe'   THEN 'ShadowCopyManagement'
    WHEN "ProcessImage" LIKE '%esentutl.exe'   THEN 'EsentutlVSS'
    WHEN "ProcessImage" LIKE '%diskshadow.exe' THEN 'DiskShadow'
    WHEN "ProcessImage" LIKE '%ntdsutil.exe'   THEN 'NtdsutilIFM'
    WHEN "ProcessImage" LIKE '%wbadmin.exe'    THEN 'WindowsBackup'
    WHEN "ProcessImage" LIKE '%powershell.exe'
      OR "ProcessImage" LIKE '%pwsh.exe'       THEN 'PowerShellVolumeAccess'
    ELSE 'DirectVolumeAccess'
  END AS ToolCategory
FROM events
WHERE
  (
    (
      "ProcessImage" LIKE '%vssadmin.exe' AND
      ("CommandLine" LIKE '%create shadow%' OR "CommandLine" LIKE '%list shadow%' OR "CommandLine" LIKE '%delete shadow%')
    ) OR (
      "ProcessImage" LIKE '%esentutl.exe' AND
      ("CommandLine" LIKE '%HarddiskVolumeShadowCopy%' OR "CommandLine" LIKE '%GLOBALROOT%'
        OR "CommandLine" LIKE '%/y %' OR "CommandLine" LIKE '%/vss%')
    ) OR
      "ProcessImage" LIKE '%diskshadow.exe'
    OR (
      "ProcessImage" LIKE '%ntdsutil.exe' AND
      ("CommandLine" LIKE '%ifm%' OR "CommandLine" LIKE '%activate instance%' OR "CommandLine" LIKE '%ntds%')
    ) OR (
      "ProcessImage" LIKE '%wbadmin.exe' AND
      ("CommandLine" LIKE '%start backup%' OR "CommandLine" LIKE '%start recovery%')
    ) OR (
      ("ProcessImage" LIKE '%powershell.exe' OR "ProcessImage" LIKE '%pwsh.exe') AND
      ("CommandLine" LIKE '%NinjaCopy%' OR "CommandLine" LIKE '%Invoke-NinjaCopy%'
        OR "CommandLine" LIKE '%PhysicalDrive%' OR "CommandLine" LIKE '%HarddiskVolumeShadowCopy%'
        OR "CommandLine" LIKE '%GLOBALROOT%')
    ) OR
      "CommandLine" LIKE '%PhysicalDrive%'
    OR
      "CommandLine" LIKE '%GLOBALROOT%HarddiskVolumeShadowCopy%'
  )
ORDER BY starttime DESC
LAST 24 HOURS

critical severity high confidence

Data Sources

IBM QRadar with Microsoft Windows WinCollect agent (Sysmon Event ID 1) Windows Security Event Log via WinCollect (Event ID 4688 with process command-line auditing enabled) QRadar Microsoft Windows Sysmon DSM for custom property extraction

Required Tables

events

False Positives

Enterprise backup solutions (Veeam Backup & Replication, Commvault, NetBackup, SCDPM) running on backup servers invoke vssadmin.exe and wbadmin.exe routinely during scheduled jobs — expect sustained false positive volume from backup infrastructure hosts
Active Directory infrastructure teams creating IFM installation media for domain controller promotion using ntdsutil.exe 'activate instance ntds' and 'ifm' commands — indistinguishable from attacker use without additional context on the initiating account and host
PowerShell-based infrastructure automation scripts that reference HarddiskVolume paths for disk health checks, storage management, or scripted backup operations will match the PowerShellVolumeAccess category

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where _raw matches "*EventID=1*" OR _raw matches "*EventCode=1*" OR _raw matches "*EventID=4688*" OR _raw matches "*EventCode=4688*"
| parse "Image=*\n" as ProcessImage nodrop
| parse "CommandLine=*\n" as CommandLine nodrop
| parse "ParentImage=*\n" as ParentImage nodrop
| parse "ParentCommandLine=*\n" as ParentCommandLine nodrop
| parse "User=*\n" as User nodrop
| parse "Computer=*\n" as Computer nodrop
| where (
    (ProcessImage matches "*vssadmin.exe*" AND (
      CommandLine matches "*create shadow*" OR CommandLine matches "*list shadow*" OR CommandLine matches "*delete shadow*"
    )) OR
    (ProcessImage matches "*esentutl.exe*" AND (
      CommandLine matches "*HarddiskVolumeShadowCopy*" OR CommandLine matches "*GLOBALROOT*"
      OR CommandLine matches "*/y *" OR CommandLine matches "*/vss*"
    )) OR
    ProcessImage matches "*diskshadow.exe*" OR
    (ProcessImage matches "*ntdsutil.exe*" AND (
      CommandLine matches "*ifm*" OR CommandLine matches "*activate instance*" OR CommandLine matches "*ntds*"
    )) OR
    (ProcessImage matches "*wbadmin.exe*" AND (
      CommandLine matches "*start backup*" OR CommandLine matches "*start recovery*"
    )) OR
    ((ProcessImage matches "*powershell.exe*" OR ProcessImage matches "*pwsh.exe*") AND (
      CommandLine matches "*NinjaCopy*" OR CommandLine matches "*Invoke-NinjaCopy*"
      OR CommandLine matches "*PhysicalDrive*" OR CommandLine matches "*HarddiskVolumeShadowCopy*"
      OR CommandLine matches "*GLOBALROOT*" OR CommandLine matches "*GetDriveGeometry*"
    )) OR
    CommandLine matches "*PhysicalDrive*" OR
    CommandLine matches "*GLOBALROOT*HarddiskVolumeShadowCopy*"
  )
| eval ToolCategory = if(ProcessImage matches "*vssadmin.exe*", "ShadowCopyManagement",
    if(ProcessImage matches "*esentutl.exe*", "EsentutlVSS",
    if(ProcessImage matches "*diskshadow.exe*", "DiskShadow",
    if(ProcessImage matches "*ntdsutil.exe*", "NtdsutilIFM",
    if(ProcessImage matches "*wbadmin.exe*", "WindowsBackup",
    if(ProcessImage matches "*powershell.exe*" OR ProcessImage matches "*pwsh.exe*",
      "PowerShellVolumeAccess", "DirectVolumeAccess"))))))
| eval TargetsCredentials = if(
    toLowerCase(CommandLine) matches "*(ntds.dit|ntds.jfm|ntuser.dat|security.bak)*",
    "true", "false")
| eval RiskScore = if(TargetsCredentials = "true", "Critical",
    if(ToolCategory = "PowerShellVolumeAccess", "High",
    if(ToolCategory = "NtdsutilIFM", "High",
    if(ToolCategory = "EsentutlVSS", "High", "Medium"))))
| fields _messagetime, Computer, User, ProcessImage, CommandLine, ParentImage, ParentCommandLine, ToolCategory, TargetsCredentials, RiskScore
| sort by _messagetime desc

critical severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Sysmon Operational channel) Sumo Logic Windows Event Log source (Security channel, Event ID 4688 with enhanced command-line auditing GPO) Sumo Logic Cloud SIEM with Windows normalized schema

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Scheduled backup agents (Veeam, Backup Exec, Windows Server Backup service) that invoke vssadmin.exe and wbadmin.exe on backup servers during maintenance windows — add backup server hostnames to a suppression list to reduce noise
Legitimate domain controller IFM media creation during AD deployment procedures using ntdsutil.exe — the 'activate instance ntds' and 'ifm' argument pattern is identical to attacker technique; cross-reference with change management tickets
PowerShell-based disk health monitoring scripts and storage management automation that reference HarddiskVolume or PhysicalDrive paths for SMART data collection or disk capacity reporting

Google Chronicle / SecOps

yaral

rule T1006_Direct_Volume_Access {
  meta:
    author = "Detection Engineering"
    description = "Detects T1006 Direct Volume Access - VSS shadow copy manipulation tools, direct physical volume path access, and PowerShell-based raw disk API usage targeting credential stores (ntds.dit, SAM, SECURITY)"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1006"
    severity = "HIGH"
    confidence = "HIGH"
    platform = "Windows"
    created = "2024-01-01"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path,
          `(?i)(vssadmin|esentutl|diskshadow|ntdsutil|wbadmin)\.exe$`) and
        re.regex($e.target.process.command_line,
          `(?i)(create shadow|list shadow|delete shadow|HarddiskVolumeShadowCopy|GLOBALROOT|\/y |\/vss|ifm|activate instance|set context|add volume|start backup|start recovery)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line,
          `(?i)(NinjaCopy|Invoke-NinjaCopy|PhysicalDrive|HarddiskVolumeShadowCopy|GLOBALROOT|GetDriveGeometry|FSCTL_GET_NTFS_VOLUME_DATA|DeviceIoControl)`)
      ) or
      (
        re.regex($e.target.process.command_line,
          `(?i)(PhysicalDrive|HarddiskVolumeShadowCopy|HarddiskVolume[0-9]|GLOBALROOT)`) and
        not re.regex($e.target.process.file.full_path, `(?i)(vssvc|svchost|wmiprvse)\.exe$`)
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle with Chronicle Forwarder agent deployed on Windows endpoints Windows Event Log forwarding to Chronicle via Forwarder (Sysmon Event ID 1, Security Event ID 4688) Chronicle Unified Data Model (UDM) PROCESS_LAUNCH event normalization

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Enterprise backup infrastructure systems (Veeam backup servers, Azure Backup MARs agent, Windows Server Backup scheduled tasks) that legitimately invoke vssadmin.exe and wbadmin.exe — create reference list exclusions for known backup service account UPNs and backup server hostnames in Chronicle
Active Directory engineers creating IFM installation media for new domain controller deployments using ntdsutil.exe — this produces an exact pattern match on 'activate instance ntds' and 'ifm' that is operationally indistinguishable at the command-line level; correlate against approved change requests
EDR and security tooling (Carbon Black, SentinelOne, CrowdStrike Falcon) that periodically access raw volume data or shadow copy paths as part of behavioral monitoring, forensic snapshot collection, or integrity baseline operations

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| test(
    (FileName == "vssadmin.exe" and (CommandLine = /(?i)create shadow/ or CommandLine = /(?i)list shadow/ or CommandLine = /(?i)delete shadow/))
    or (FileName == "esentutl.exe" and (CommandLine = /(?i)HarddiskVolumeShadowCopy/ or CommandLine = /(?i)GLOBALROOT/ or CommandLine = /\/y / or CommandLine = /\/vss/))
    or FileName == "diskshadow.exe"
    or (FileName == "ntdsutil.exe" and (CommandLine = /(?i)ifm/ or CommandLine = /(?i)activate instance/ or CommandLine = /(?i)ntds/))
    or (FileName == "wbadmin.exe" and (CommandLine = /(?i)start backup/ or CommandLine = /(?i)start recovery/))
    or (FileName in ("powershell.exe", "pwsh.exe") and (CommandLine = /(?i)NinjaCopy/ or CommandLine = /(?i)Invoke-NinjaCopy/ or CommandLine = /(?i)PhysicalDrive/ or CommandLine = /(?i)HarddiskVolumeShadowCopy/ or CommandLine = /(?i)GLOBALROOT/ or CommandLine = /(?i)GetDriveGeometry/))
    or CommandLine = /(?i)PhysicalDrive/
    or CommandLine = /(?i)GLOBALROOT.*HarddiskVolumeShadowCopy/
  )
| ToolCategory := case {
    FileName == "vssadmin.exe"   => "ShadowCopyManagement";
    FileName == "esentutl.exe"   => "EsentutlVSS";
    FileName == "diskshadow.exe" => "DiskShadow";
    FileName == "ntdsutil.exe"   => "NtdsutilIFM";
    FileName == "wbadmin.exe"    => "WindowsBackup";
    FileName in ("powershell.exe", "pwsh.exe") => "PowerShellVolumeAccess";
    *                            => "DirectVolumeAccess"
  }
| TargetsCredentials := if(CommandLine = /(?i)(ntds\.dit|ntds\.jfm|ntuser\.dat|security\.bak)/, "true", "false")
| RiskScore := case {
    TargetsCredentials == "true"                                                    => "Critical";
    ToolCategory in ("PowerShellVolumeAccess", "NtdsutilIFM", "EsentutlVSS")      => "High";
    *                                                                               => "Medium"
  }
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine,
     ToolCategory, TargetsCredentials, RiskScore],
    function=count(as=EventCount)
  )
| sort(field=RiskScore, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon sensor process telemetry (ProcessRollup2 events) CrowdStrike Humio / LogScale SIEM with Falcon data connector Falcon Data Replicator (FDR) event stream

Required Tables

ProcessRollup2

False Positives

Windows Server Backup and third-party backup agents (Veeam, Backup Exec) running under privileged service accounts that invoke vssadmin.exe and wbadmin.exe on scheduled backup jobs — particularly common on file servers, domain controllers, and Exchange servers; add backup host CIDs or service account names to an exclusion reference list
CrowdStrike Falcon sensor itself and competing EDR products may invoke volume-level APIs or reference VSS paths for their own behavioral monitoring, file scanning, or forensic telemetry collection, generating DirectVolumeAccess hits
Active Directory operations teams running ntdsutil.exe for authorized domain controller IFM creation, NTDS database integrity checks, or offline defragmentation — the command-line signature is identical to attacker use and requires out-of-band context (change tickets, known admin accounts) to differentiate

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Direct Volume Access

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections