MITRE ATT&CK Technique
Description
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009) Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:20.934Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may directly access a volume to bypass file '
'access controls and file system monitoring. Windows allows '
'programs to have direct access to logical volumes. Programs '
'with direct access may read and write files directly from the '
'drive by analyzing file system data structures. This '
'technique may bypass Windows file access controls as well as '
'file system monitoring tools. (Citation: Hakobyan 2009)\n'
'\n'
'Utilities, such as `NinjaCopy`, exist to perform these '
'actions in PowerShell.(Citation: Github PowerSploit '
'Ninjacopy) Adversaries may also use built-in or third-party '
'utilities (such as `vssadmin`, `wbadmin`, and '
'[esentutl](https://attack.mitre.org/software/S0404)) to '
'create shadow copies or backups of data from system '
'volumes.(Citation: LOLBAS Esentutl)',
'external_references': [{'external_id': 'T1006',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1006'},
{'description': 'Bialek, J. (2015, December 16). '
'Invoke-NinjaCopy.ps1. Retrieved June '
'2, 2016.',
'source_name': 'Github PowerSploit Ninjacopy',
'url': 'https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1'},
{'description': 'Hakobyan, A. (2009, January 8). '
'FDump - Dumping File Sectors '
'Directly from Disk using Logical '
'Offsets. Retrieved November 12, '
'2014.',
'source_name': 'Hakobyan 2009',
'url': 'http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin'},
{'description': 'LOLBAS. (n.d.). Esentutl.exe. '
'Retrieved September 3, 2019.',
'source_name': 'LOLBAS Esentutl',
'url': 'https://lolbas-project.github.io/lolbas/Binaries/Esentutl/'}],
'id': 'attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:23.015Z',
'name': 'Direct Volume Access',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Tom Simpson, CrowdStrike Falcon OverWatch'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Network Devices', 'Windows'],
'x_mitre_version': '2.3'}