{
  "type": "attack-pattern",
  "spec_version": "2.1",
  "id": "attack-pattern--f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3",
  "created": "2025-09-25T21:09:38.677Z",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "revoked": false,
  "external_references": [
    {
      "source_name": "mitre-attack",
      "url": "https://attack.mitre.org/techniques/T1680",
      "external_id": "T1680"
    },
    {
      "source_name": "Volexity",
      "description": "Ankur Saini, Charlie Gardner. (2023, June 28). Charming Kitten Updates POWERSTAR with an InterPlanetary Twist. Retrieved September 25, 2025.",
      "url": "https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/"
    },
    {
      "source_name": "AWS docs describe volumes",
      "description": "AWS. (n.d.). describe-volumes. Retrieved October 20, 2025.",
      "url": "https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-volumes.html"
    },
    {
      "source_name": "azure az disk",
      "description": "Azure. (n.d.). az disk. Retrieved October 20, 2025.",
      "url": "https://learn.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest"
    },
    {
      "source_name": "GCP gcloud compute disks list",
      "description": "Google Cloud. (n.d.). gcloud compute disks list. Retrieved October 20, 2025.",
      "url": "https://cloud.google.com/sdk/gcloud/reference/compute/disks/list"
    },
    {
      "source_name": "TrendMicro ESXI Ransomware",
      "description": "Junestherry Dela Cruz. (2022, January 24). Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant. Retrieved March 26, 2025.",
      "url": "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html"
    },
    {
      "source_name": "Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024",
      "description": "Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.",
      "url": "https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html"
    },
    {
      "source_name": "TrendMicro",
      "description": "Mina Naiim. (2021, May 28). DarkSide on Linux: Virtual Machines Targeted. Retrieved March 26, 2025.",
      "url": "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html"
    }
  ],
  "object_marking_refs": [
    "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
  ],
  "modified": "2026-05-12T15:12:00.724Z",
  "name": "Local Storage Discovery",
  "description": "Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0109), or as a precursor to [Direct Volume Access](https://attack.mitre.org/techniques/T1006). \n\nOn ESXi systems, adversaries may use [Hypervisor CLI](https://attack.mitre.org/techniques/T1059/012) commands such as `esxcli` to list storage connected to the host as well as `.vmdk` files.(Citation: TrendMicro)(Citation: TrendMicro ESXI Ransomware)\n\nOn Windows systems, adversaries can use `wmic logicaldisk get` to find information about local network drives. They can also use `Get-PSDrive` in PowerShell to retrieve drives and may additionally use Windows API functions such as `GetDriveType`.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)(Citation: Volexity)\n\nLinux has commands such as `parted`, `lsblk`, `fdisk`, `lshw`, and `df` that can list information about disk partitions such as size, type, file system types, and free space. The command `diskutil` on MacOS can be used to list disks while `system_profiler SPStorageDataType` can additionally show information such as a volume’s mount path, file system, and the type of drive in the system. \n\nInfrastructure as a Service (IaaS) cloud providers also have commands for storage discovery such as `describe volume` in AWS, `gcloud compute disks list` in GCP, and `az disk list` in Azure.(Citation: AWS docs describe volumes)(Citation: GCP gcloud compute disks list)(Citation: azure az disk)",
  "kill_chain_phases": [
    {
      "kill_chain_name": "mitre-attack",
      "phase_name": "discovery"
    }
  ],
  "x_mitre_attack_spec_version": "3.3.0",
  "x_mitre_contributors": [
    "Liran Ravich, CardinalOps"
  ],
  "x_mitre_deprecated": false,
  "x_mitre_domains": [
    "enterprise-attack"
  ],
  "x_mitre_is_subtechnique": false,
  "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "x_mitre_platforms": [
    "ESXi",
    "IaaS",
    "Linux",
    "macOS",
    "Windows"
  ],
  "x_mitre_version": "1.0"
}