MITRE ATT&CK Technique
Description
Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0109), or as a precursor to [Direct Volume Access](https://attack.mitre.org/techniques/T1006). On ESXi systems, adversaries may use [Hypervisor CLI](https://attack.mitre.org/techniques/T1059/012) commands such as `esxcli` to list storage connected to the host as well as `.vmdk` files.(Citation: TrendMicro)(Citation: TrendMicro ESXI Ransomware) On Windows systems, adversaries can use `wmic logicaldisk get` to find information about local network drives. They can also use `Get-PSDrive` in PowerShell to retrieve drives and may additionally use Windows API functions such as `GetDriveType`.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)(Citation: Volexity) Linux has commands such as `parted`, `lsblk`, `fdisk`, `lshw`, and `df` that can list information about disk partitions such as size, type, file system types, and free space. The command `diskutil` on MacOS can be used to list disks while `system_profiler SPStorageDataType` can additionally show information such as a volume’s mount path, file system, and the type of drive in the system. Infrastructure as a Service (IaaS) cloud providers also have commands for storage discovery such as `describe volume` in AWS, `gcloud compute disks list` in GCP, and `az disk list` in Azure.(Citation: AWS docs describe volumes)(Citation: GCP gcloud compute disks list)(Citation: azure az disk)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2025-09-25T21:09:38.677Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may enumerate local drives, disks, and/or volumes '
'and their attributes like total or free space and volume '
'serial number. This can be done to prepare for '
'ransomware-related encryption, to perform [Lateral '
'Movement](https://attack.mitre.org/tactics/TA0109), or as a '
'precursor to [Direct Volume '
'Access](https://attack.mitre.org/techniques/T1006). \n'
'\n'
'On ESXi systems, adversaries may use [Hypervisor '
'CLI](https://attack.mitre.org/techniques/T1059/012) commands '
'such as `esxcli` to list storage connected to the host as '
'well as `.vmdk` files.(Citation: TrendMicro)(Citation: '
'TrendMicro ESXI Ransomware)\n'
'\n'
'On Windows systems, adversaries can use `wmic logicaldisk '
'get` to find information about local network drives. They can '
'also use `Get-PSDrive` in PowerShell to retrieve drives and '
'may additionally use Windows API functions such as '
'`GetDriveType`.(Citation: Trend Micro MUSTANG PANDA PUBLOAD '
'HIUPAN SEPTEMBER 2024)(Citation: Volexity)\n'
'\n'
'Linux has commands such as `parted`, `lsblk`, `fdisk`, '
'`lshw`, and `df` that can list information about disk '
'partitions such as size, type, file system types, and free '
'space. The command `diskutil` on MacOS can be used to list '
'disks while `system_profiler SPStorageDataType` can '
'additionally show information such as a volume’s mount path, '
'file system, and the type of drive in the system. \n'
'\n'
'Infrastructure as a Service (IaaS) cloud providers also have '
'commands for storage discovery such as `describe volume` in '
'AWS, `gcloud compute disks list` in GCP, and `az disk list` '
'in Azure.(Citation: AWS docs describe volumes)(Citation: GCP '
'gcloud compute disks list)(Citation: azure az disk)',
'external_references': [{'external_id': 'T1680',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1680'},
{'description': 'Ankur Saini, Charlie Gardner. (2023, '
'June 28). Charming Kitten Updates '
'POWERSTAR with an InterPlanetary '
'Twist. Retrieved September 25, 2025.',
'source_name': 'Volexity',
'url': 'https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/'},
{'description': 'AWS. (n.d.). describe-volumes. '
'Retrieved October 20, 2025.',
'source_name': 'AWS docs describe volumes',
'url': 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-volumes.html'},
{'description': 'Azure. (n.d.). az disk. Retrieved '
'October 20, 2025.',
'source_name': 'azure az disk',
'url': 'https://learn.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest'},
{'description': 'Google Cloud. (n.d.). gcloud compute '
'disks list. Retrieved October 20, '
'2025.',
'source_name': 'GCP gcloud compute disks list',
'url': 'https://cloud.google.com/sdk/gcloud/reference/compute/disks/list'},
{'description': 'Junestherry Dela Cruz. (2022, '
'January 24). Analysis and Impact of '
'LockBit Ransomware’s First Linux and '
'VMware ESXi Variant. Retrieved March '
'26, 2025.',
'source_name': 'TrendMicro ESXI Ransomware',
'url': 'https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html'},
{'description': 'Lenart Bermejo, Sunny Lu, Ted Lee. '
'(2024, September 9). Earth Preta '
'Evolves its Attacks with New Malware '
'and Strategies. Retrieved August 4, '
'2025.',
'source_name': 'Trend Micro MUSTANG PANDA PUBLOAD '
'HIUPAN SEPTEMBER 2024',
'url': 'https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html'},
{'description': 'Mina Naiim. (2021, May 28). DarkSide '
'on Linux: Virtual Machines Targeted. '
'Retrieved March 26, 2025.',
'source_name': 'TrendMicro',
'url': 'https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html'}],
'id': 'attack-pattern--f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'discovery'}],
'modified': '2025-10-22T02:09:54.940Z',
'name': 'Local Storage Discovery',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Liran Ravich, CardinalOps'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['ESXi', 'IaaS', 'Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.0'}