T1006: Direct Volume Access
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.[1]
Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.[2] Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and esentutl) to create shadow copies or backups of data from system volumes.[3]
Analyst context for executives and security teams
Direct Volume Access matters because it can let an adversary read or copy data from a disk volume in ways that bypass normal file permissions and file-system monitoring. For leaders, this is a stealth and evidence-risk issue: sensitive files may be accessed without the same alerts expected from standard file access logging, especially when built-in or common utilities such as vssadmin, wbadmin, or esentutl are involved.
Executive priority
Prioritize this where Windows systems hold high-value data, credentials, backups, or operationally sensitive records. The business question is whether privileged users and processes can create shadow copies, backups, or direct volume reads without strong monitoring and review. ATT&CK also maps this technique to named groups and campaigns, including critical-infrastructure-related context, so it is relevant to resilience planning, incident response readiness, and audit evidence for privileged access control.
Technical view
SOC and IR teams should validate coverage for Windows direct logical volume access, PowerShell-based tooling such as NinjaCopy, and use of built-in or third-party utilities referenced by ATT&CK, including vssadmin, wbadmin, and esentutl. Because ATT&CK provides no official detection text for T1006, teams should lean on the related detection strategy DET0426 and test whether endpoint telemetry can show suspicious process behavior, privileged account use, shadow copy or backup creation, and access patterns that do not align with normal administrative activity.
Likely telemetry
- Windows process creation and command-line telemetry
- PowerShell script block, module, and transcript logging where enabled
- Endpoint detection telemetry for raw disk or logical volume access behavior
- Shadow copy and backup-related events
- Use of vssadmin, wbadmin, and esentutl
Detection direction
- Confirm whether DET0426 or equivalent analytics are implemented and tested against direct volume access behavior.
- Tune detections around suspicious use of vssadmin, wbadmin, esentutl, and PowerShell-based copying while accounting for legitimate backup, database maintenance, and administrative workflows.
- Correlate volume or shadow-copy activity with privileged logons, unusual parent processes, off-hours execution, and access to sensitive systems.
- Review blind spots where file-system monitoring alone is assumed to provide coverage; this technique is specifically relevant because it may bypass those controls.
- Separate expected backup operations from ad hoc or user-initiated backup/shadow-copy activity to reduce false positives without suppressing meaningful alerts.
Mitigation priorities
- Apply User Account Management controls: enforce least privilege and limit who can perform administrative disk, backup, or shadow-copy operations.
- Use Behavior Prevention on Endpoint capabilities to block or alert on suspicious process behavior involving direct volume access or abnormal backup/shadow-copy activity.
- Restrict and monitor administrative utilities that can copy or expose protected data from system volumes.
- Maintain evidence that privileged access, backup privileges, and endpoint behavior controls are reviewed regularly for compliance and incident readiness.
Analyst notes and limits
ATT&CK maps T1006 to the stealth tactic and lists Windows and Network Devices as platforms, but the supplied description is primarily Windows-focused. Relationship context includes DET0426 as a detection strategy, mitigations M1018 and M1040, software S0404 esentutl, and use relationships for C0051, C0063, G1015, and G1017. Treat those mappings as prioritization context, not proof of current activity in any environment.
Official ATT&CK detection guidance is not provided for this object, and the supplied relationship descriptions are partial. Local validation is required to determine whether endpoint logs, PowerShell logging, backup events, and privileged access records are actually collected and retained. Do not assume file access monitoring alone covers this behavior.
Direct Volume Access
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.[1]
Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.[2] Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and esentutl) to create shadow copies or backups of data from system volumes.[3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
G1017: Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].
Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]
S0404: esentutl
C0063: 2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
C0051: APT28 Nearest Neighbor Campaign
APT28 Nearest Neighbor Campaign was conducted by APT28 from early February 2022 to November 2024 against organizations and individuals with expertise on Ukraine. APT28 primarily leveraged living-off-the-land techniques, while leveraging the zero-day exploitation of CVE-2022-38028. Notably, APT28 leveraged Wi-Fi networks in close proximity to the intended target to gain initial access to the victim environment. By daisy-chaining multiple compromised organizations nearby the intended target, APT28 discovered dual-homed systems (with both a wired and wireless network connection) to enable Wi-Fi and use compromised credentials to connect to the victim network.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | bb00aa26681d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Hakobyan 2009
Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014.
Open source URL -
[2]
Github PowerSploit Ninjacopy
Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016.
Open source URL -
[3]
LOLBAS Esentutl
LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
Open source URL -
[4]
mitre-attack T1006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.