File size: 3,568 Bytes

5fe70fd

{
    "type": "bundle",
    "id": "bundle--689a2bab-e2bd-4b20-ab17-9e615a2c31c1",
    "spec_version": "2.0",
    "objects": [
        {
            "x_mitre_platforms": [
                "Windows"
            ],
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "id": "attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5",
            "type": "attack-pattern",
            "created": "2017-05-31T21:30:20.934Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "T1006",
                    "url": "https://attack.mitre.org/techniques/T1006"
                },
                {
                    "url": "http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin",
                    "description": "Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014.",
                    "source_name": "Hakobyan 2009"
                },
                {
                    "url": "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1",
                    "description": "Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016.",
                    "source_name": "Github PowerSploit Ninjacopy"
                }
            ],
            "modified": "2021-02-09T14:09:00.753Z",
            "name": "Direct Volume Access",
            "description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\n\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "defense-evasion"
                }
            ],
            "x_mitre_detection": "Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. (Citation: Github PowerSploit Ninjacopy)\n\nMonitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through [PowerShell](https://attack.mitre.org/techniques/T1059/001), additional logging of PowerShell scripts is recommended.",
            "x_mitre_version": "2.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_data_sources": [
                "Command: Command Execution",
                "Drive: Drive Access"
            ],
            "x_mitre_defense_bypassed": [
                "File monitoring",
                "File system access controls"
            ],
            "x_mitre_permissions_required": [
                "Administrator"
            ],
            "x_mitre_is_subtechnique": false
        }
    ]
}