1. Home
  2. Techniques
  3. Enterprise
  4. 直接卷访问

直接卷访问

直接卷访问是攻击者绕过文件系统监控直接读写磁盘卷数据的攻击技术,通过分析文件系统底层结构(如NTFS的MFT)实现数据窃取或篡改。传统防御手段主要监控磁盘句柄打开行为、检测非常规卷操作工具(如NinjaCopy)的使用,以及分析进程命令行参数中的可疑卷管理指令。防御方通常结合文件系统过滤驱动审计和进程行为分析构建防护体系。
为规避传统检测机制,攻击者发展出深度隐匿的直接卷访问技术,通过内存化执行、元数据操纵、合法工具滥用等手法,将恶意卷操作嵌入系统正常存储维护流程,大幅降低操作行为与周边环境的异常性关联。

ID: T1006
Sub-techniques:  No sub-techniques
Tactic: 防御规避
Platforms: Network, Windows
Defense Bypassed: File monitoring, File system access controls
Contributors: Tom Simpson, CrowdStrike Falcon OverWatch
Version: 2.2
Created: 31 May 2017
Last Modified: 16 April 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过滥用系统合法工具(如vssadmin、esentutl)和模拟磁盘维护协议,将恶意卷访问行为伪装成备份、碎片整理等正常存储操作。利用签名的驱动程序或符合Windows存储栈规范的IO请求结构,使得底层磁盘流量在协议特征层面与合法操作完全一致,有效规避基于行为特征匹配的检测。

数据遮蔽

采用实时加密技术对修改的卷元数据和回传内容进行加密,利用AES等算法对MFT条目、日志记录等关键信息进行混淆。加密操作在内存中完成且密钥动态生成,使得磁盘上存储的加密数据无法被常规取证工具解析,实现操作痕迹的深度隐藏。

时空释痕

通过低频次、长周期的卷访问策略,将数据窃取任务拆解为多个阶段性微操作。结合系统预设维护窗口(如每月备份周期)发起攻击,利用正常业务时段的磁盘负载波动掩盖恶意IO流量,使得基于时序分析的检测机制难以发现异常。

Procedure Examples

ID Name Description
S0404 esentutl

esentutl can use the Volume Shadow Copy service to copy locked files such as ntds.dit.[1][2]
G1015 Scattered Spider

Scattered Spider has created volume shadow copies of virtual domain controller disks to extract the NTDS.dit file.[3]
G1017 Volt Typhoon

Volt Typhoon has executed the Windows-native vssadmin command to create volume shadow copies.[4]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

Some endpoint security solutions can be configured to block some types of behaviors related to efforts by an adversary to create backups, such as command execution or preventing API calls to backup related services.
M1018 User Account Management

Ensure only accounts required to configure and manage backups have the privileges to do so. Monitor these accounts for unauthorized backup activity.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through PowerShell, additional logging of PowerShell scripts is recommended.
DS0016 Drive Drive Access

Monitor handle opens on volumes that are made by processes to determine when they may be directly collecting data from logical drives. [5]
DS0022 File File Creation

Monitor for the creation of volume shadow copy and backup files, especially unexpected and irregular activity (relative to time, user, etc.).

References

  1. LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
  2. Cary, M. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019.
  3. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  1. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  2. Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016.