T1006 CrowdStrike LogScale · LogScale

Detect Direct Volume Access in CrowdStrike LogScale

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes, enabling reads and writes directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls and file system monitoring tools. Utilities such as NinjaCopy (PowerShell), vssadmin, wbadmin, and esentutl can be used to create shadow copies or access locked files (such as ntds.dit, SYSTEM hive, and SAM) directly from disk. Real-world actors including Scattered Spider and Volt Typhoon have leveraged Volume Shadow Copy Service (VSS) to extract credential stores without triggering standard file access controls.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1006 Direct Volume Access
Canonical reference
https://attack.mitre.org/techniques/T1006/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| test(
    (FileName == "vssadmin.exe" and (CommandLine = /(?i)create shadow/ or CommandLine = /(?i)list shadow/ or CommandLine = /(?i)delete shadow/))
    or (FileName == "esentutl.exe" and (CommandLine = /(?i)HarddiskVolumeShadowCopy/ or CommandLine = /(?i)GLOBALROOT/ or CommandLine = /\/y / or CommandLine = /\/vss/))
    or FileName == "diskshadow.exe"
    or (FileName == "ntdsutil.exe" and (CommandLine = /(?i)ifm/ or CommandLine = /(?i)activate instance/ or CommandLine = /(?i)ntds/))
    or (FileName == "wbadmin.exe" and (CommandLine = /(?i)start backup/ or CommandLine = /(?i)start recovery/))
    or (FileName in ("powershell.exe", "pwsh.exe") and (CommandLine = /(?i)NinjaCopy/ or CommandLine = /(?i)Invoke-NinjaCopy/ or CommandLine = /(?i)PhysicalDrive/ or CommandLine = /(?i)HarddiskVolumeShadowCopy/ or CommandLine = /(?i)GLOBALROOT/ or CommandLine = /(?i)GetDriveGeometry/))
    or CommandLine = /(?i)PhysicalDrive/
    or CommandLine = /(?i)GLOBALROOT.*HarddiskVolumeShadowCopy/
  )
| ToolCategory := case {
    FileName == "vssadmin.exe"   => "ShadowCopyManagement";
    FileName == "esentutl.exe"   => "EsentutlVSS";
    FileName == "diskshadow.exe" => "DiskShadow";
    FileName == "ntdsutil.exe"   => "NtdsutilIFM";
    FileName == "wbadmin.exe"    => "WindowsBackup";
    FileName in ("powershell.exe", "pwsh.exe") => "PowerShellVolumeAccess";
    *                            => "DirectVolumeAccess"
  }
| TargetsCredentials := if(CommandLine = /(?i)(ntds\.dit|ntds\.jfm|ntuser\.dat|security\.bak)/, "true", "false")
| RiskScore := case {
    TargetsCredentials == "true"                                                    => "Critical";
    ToolCategory in ("PowerShellVolumeAccess", "NtdsutilIFM", "EsentutlVSS")      => "High";
    *                                                                               => "Medium"
  }
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine,
     ToolCategory, TargetsCredentials, RiskScore],
    function=count(as=EventCount)
  )
| sort(field=RiskScore, order=desc)
critical severity high confidence

CrowdStrike LogScale (Falcon) CQL query detecting T1006 Direct Volume Access using ProcessRollup2 events from the Falcon sensor. Applies regex-based branch matching for VSS management tools, direct volume path references, and PowerShell raw disk access. Enriches each process event with ToolCategory classification, TargetsCredentials flag for credential store targeting, and a tiered RiskScore. Results are grouped by unique process invocation profile to surface repeated activity patterns and reduce duplicate alert noise.

Data Sources

CrowdStrike Falcon sensor process telemetry (ProcessRollup2 events)CrowdStrike Humio / LogScale SIEM with Falcon data connectorFalcon Data Replicator (FDR) event stream

Required Tables

ProcessRollup2

False Positives & Tuning

  • Windows Server Backup and third-party backup agents (Veeam, Backup Exec) running under privileged service accounts that invoke vssadmin.exe and wbadmin.exe on scheduled backup jobs — particularly common on file servers, domain controllers, and Exchange servers; add backup host CIDs or service account names to an exclusion reference list
  • CrowdStrike Falcon sensor itself and competing EDR products may invoke volume-level APIs or reference VSS paths for their own behavioral monitoring, file scanning, or forensic telemetry collection, generating DirectVolumeAccess hits
  • Active Directory operations teams running ntdsutil.exe for authorized domain controller IFM creation, NTDS database integrity checks, or offline defragmentation — the command-line signature is identical to attacker use and requires out-of-band context (change tickets, known admin accounts) to differentiate
Download portable Sigma rule (.yml)

Other platforms for T1006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VSS Shadow Copy Creation and NTDS Extraction via esentutl

    Expected signal: Sysmon Event ID 1: Process Create for vssadmin.exe with CommandLine containing 'create shadow /for=C:'. Second Sysmon Event ID 1: esentutl.exe with CommandLine containing the \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy path and '/vss'. Security Event ID 4688 for both processes if command line auditing is enabled. Microsoft-Windows-StorageService/Operational events for VSS snapshot creation. Sysmon Event ID 11 (File Create) for SYSTEM.bak in %TEMP%.

  2. Test 2Diskshadow Script-Based Shadow Copy and File Exposure

    Expected signal: Sysmon Event ID 1: diskshadow.exe with CommandLine containing '/s' and the .dsh script path. Sysmon Event ID 11: creation of dsh_test.dsh in %TEMP% by powershell.exe. Security Event ID 4688 for diskshadow.exe. Microsoft-Windows-StorageService/Operational events for VSS snapshot creation via diskshadow. If drive Z: is exposed, subsequent file access on Z: generates normal file system events attributed to the accessing process.

  3. Test 3ntdsutil IFM Media Creation for NTDS Extraction

    Expected signal: Sysmon Event ID 1: ntdsutil.exe with CommandLine containing 'ifm', 'create full', and the output path. Security Event ID 4688 for ntdsutil.exe. On a domain controller: Security Event ID 4656/4663 for NTDS directory handle access, and Sysmon Event ID 11 for file creation of ntds.dit and SYSTEM in the IFM output directory. On a non-DC: ntdsutil exits with an error (0x80070003 - path not found for NTDS) but process creation event still fires.

  4. Test 4PowerShell Direct Physical Drive Read Simulation

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing '\\.\PhysicalDrive0' and 'FileOpen'. Security Event ID 4688 if command line auditing is enabled. If Object Access auditing covers raw disk handles: Security Event ID 4656 for handle request to PhysicalDrive0. This command will fail with 'Access Denied' for non-elevated users, but the process creation event still fires and matches the detection pattern.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1003.002Security Account ManagerT1003.003NTDST1059.001PowerShellT1490Inhibit System RecoveryT1055Process InjectionT1078.002Domain AccountsT1560Archive Collected DataT1048Exfiltration Over Alternative ProtocolT1485Data Destruction

Same Tactic: Defense Evasion

Popular Detections