Detect Direct Volume Access in Microsoft Sentinel
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes, enabling reads and writes directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls and file system monitoring tools. Utilities such as NinjaCopy (PowerShell), vssadmin, wbadmin, and esentutl can be used to create shadow copies or access locked files (such as ntds.dit, SYSTEM hive, and SAM) directly from disk. Real-world actors including Scattered Spider and Volt Typhoon have leveraged Volume Shadow Copy Service (VSS) to extract credential stores without triggering standard file access controls.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1006 Direct Volume Access
- Canonical reference
- https://attack.mitre.org/techniques/T1006/
KQL Detection Query
let DirectVolumePatterns = dynamic([
"HarddiskVolumeShadowCopy", "GLOBALROOT\\Device\\",
"\\\\.\\PhysicalDrive", "\\\\.\\HarddiskVolume",
"\\\\?\\GLOBALROOT", "vssadmin", "diskshadow"
]);
let CredentialTargets = dynamic([
"ntds.dit", "ntds.jfm", "NTDS.dit",
"SAM", "SECURITY", "SYSTEM",
"NTUSER.DAT", "security.bak"
]);
let SuspiciousTools = dynamic([
"esentutl.exe", "vssadmin.exe", "wbadmin.exe",
"diskshadow.exe", "ntdsutil.exe"
]);
// Branch 1: Shadow copy creation and manipulation tools
let ShadowCopyOps = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (SuspiciousTools)
| where ProcessCommandLine has_any ("create shadow", "list shadows", "delete shadows",
"/y ", "/vss", "start backup", "ifm", "activate instance",
"set context", "add volume", "expose", "HarddiskVolumeShadowCopy", "GLOBALROOT")
| extend DetectionBranch = "ShadowCopyOrVSSToolUsage"
| extend TargetsCredentials = ProcessCommandLine has_any (CredentialTargets);
// Branch 2: Direct volume path access in any process command line
let DirectVolumeOps = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (DirectVolumePatterns)
| where not (FileName in~ ("vssvc.exe", "svchost.exe", "WmiPrvSE.exe"))
| extend DetectionBranch = "DirectVolumePathInCommandLine"
| extend TargetsCredentials = ProcessCommandLine has_any (CredentialTargets);
// Branch 3: PowerShell NinjaCopy or raw disk access
let NinjaCopyOps = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
"NinjaCopy", "Invoke-NinjaCopy",
"GetDriveGeometry", "FSCTL_GET_NTFS_VOLUME_DATA",
"DeviceIoControl", "CreateFile.*\\\\\\.\\\\Harddisk",
"PhysicalDrive", "HarddiskVolume"
)
| extend DetectionBranch = "PowerShellDirectVolumeAccess"
| extend TargetsCredentials = ProcessCommandLine has_any (CredentialTargets);
// Branch 4: File events — reads from shadow copy paths
let ShadowCopyFileAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any ("HarddiskVolumeShadowCopy", "GLOBALROOT\\Device")
| where FileName has_any (CredentialTargets)
| extend DetectionBranch = "CredentialFileReadFromShadowCopy"
| extend TargetsCredentials = true
| project Timestamp, DeviceName, AccountName,
FileName, FolderPath, InitiatingProcessFileName,
InitiatingProcessCommandLine, DetectionBranch, TargetsCredentials;
union
(ShadowCopyOps | project Timestamp, DeviceName, AccountName, FileName,
ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionBranch, TargetsCredentials),
(DirectVolumeOps | project Timestamp, DeviceName, AccountName, FileName,
ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionBranch, TargetsCredentials),
(NinjaCopyOps | project Timestamp, DeviceName, AccountName, FileName,
ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionBranch, TargetsCredentials)
| sort by Timestamp desc
| extend RiskScore = case(
TargetsCredentials == true, "Critical",
DetectionBranch == "PowerShellDirectVolumeAccess", "High",
DetectionBranch == "ShadowCopyOrVSSToolUsage", "Medium",
"Medium"
)Detects direct volume access patterns across four detection branches: (1) shadow copy creation and manipulation tools (vssadmin, esentutl, diskshadow, ntdsutil, wbadmin) with suspicious flags; (2) any process with direct volume path references (\\?\GLOBALROOT, PhysicalDrive, HarddiskVolumeShadowCopy) in command lines; (3) PowerShell-based direct volume access tools such as NinjaCopy; and (4) file read events targeting credential stores (ntds.dit, SAM, SYSTEM) from shadow copy device paths. Risk scoring escalates when credential file targets are identified. Uses both DeviceProcessEvents and DeviceFileEvents from Microsoft Defender for Endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate backup software (Veeam, Acronis, Windows Server Backup) uses VSS APIs and vssadmin/wbadmin to create and manage shadow copies as part of normal backup jobs — correlate with scheduled backup windows
- Database administrators using esentutl for legitimate NTDS or Exchange database maintenance, repair, or integrity checks — verify against change management tickets
- Windows built-in System Restore and automatic shadow copy creation triggered by system updates or restore point schedules — check InitiatingProcessFileName for svchost.exe or vssvc.exe as parent
- Security and compliance tools (CyberArk, BeyondTrust, Varonis) that enumerate shadow copies during privileged access audits or data classification scans
- Forensic and incident response tooling run by authorized responders using disk imaging utilities that access raw volumes
Other platforms for T1006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VSS Shadow Copy Creation and NTDS Extraction via esentutl
Expected signal: Sysmon Event ID 1: Process Create for vssadmin.exe with CommandLine containing 'create shadow /for=C:'. Second Sysmon Event ID 1: esentutl.exe with CommandLine containing the \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy path and '/vss'. Security Event ID 4688 for both processes if command line auditing is enabled. Microsoft-Windows-StorageService/Operational events for VSS snapshot creation. Sysmon Event ID 11 (File Create) for SYSTEM.bak in %TEMP%.
- Test 2Diskshadow Script-Based Shadow Copy and File Exposure
Expected signal: Sysmon Event ID 1: diskshadow.exe with CommandLine containing '/s' and the .dsh script path. Sysmon Event ID 11: creation of dsh_test.dsh in %TEMP% by powershell.exe. Security Event ID 4688 for diskshadow.exe. Microsoft-Windows-StorageService/Operational events for VSS snapshot creation via diskshadow. If drive Z: is exposed, subsequent file access on Z: generates normal file system events attributed to the accessing process.
- Test 3ntdsutil IFM Media Creation for NTDS Extraction
Expected signal: Sysmon Event ID 1: ntdsutil.exe with CommandLine containing 'ifm', 'create full', and the output path. Security Event ID 4688 for ntdsutil.exe. On a domain controller: Security Event ID 4656/4663 for NTDS directory handle access, and Sysmon Event ID 11 for file creation of ntds.dit and SYSTEM in the IFM output directory. On a non-DC: ntdsutil exits with an error (0x80070003 - path not found for NTDS) but process creation event still fires.
- Test 4PowerShell Direct Physical Drive Read Simulation
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing '\\.\PhysicalDrive0' and 'FileOpen'. Security Event ID 4688 if command line auditing is enabled. If Object Access auditing covers raw disk handles: Security Event ID 4656 for handle request to PhysicalDrive0. This command will fail with 'Access Denied' for non-elevated users, but the process creation event still fires and matches the detection pattern.
References (10)
- https://attack.mitre.org/techniques/T1006/
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1
- https://lolbas-project.github.io/lolbas/Binaries/Esentutl/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753455(v=ws.11)
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md
- http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin
Unlock Pro Content
Get the full detection package for T1006 including response playbook, investigation guide, and atomic red team tests.