title: Direct Volume Access (T1006)
id: df00tech-t1006
status: experimental
description: "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes, enabling reads and writes directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls and file system monitoring tools. Utilities such as NinjaCopy (PowerShell), vssadmin, wbadmin, and esentutl can be used to create shadow copies or access locked files (such as ntds.dit, SYSTEM hive, and SAM) directly from disk. Real-world actors including Scattered Spider and Volt Typhoon have leveraged Volume Shadow Copy Service (VSS) to extract credential stores without triggering standard file access controls."
references:
  - https://attack.mitre.org/techniques/T1006/
  - https://df00tech.com/detections/T1006
author: df00tech
date: 2026/04/13
tags:
  - attack.t1006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate backup software (Veeam, Acronis, Windows Server Backup) uses VSS APIs and vssadmin/wbadmin to create and manage shadow copies as part of normal backup jobs — correlate with scheduled backup windows"
  - "Database administrators using esentutl for legitimate NTDS or Exchange database maintenance, repair, or integrity checks — verify against change management tickets"
  - Windows built-in System Restore and automatic shadow copy creation triggered by system updates or restore point schedules — check InitiatingProcessFileName for svchost.exe or vssvc.exe as parent
  - "Security and compliance tools (CyberArk, BeyondTrust, Varonis) that enumerate shadow copies during privileged access audits or data classification scans"
  - Forensic and incident response tooling run by authorized responders using disk imaging utilities that access raw volumes
level: high