Threat actors may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to perform Lateral Movement, or as a precursor to Direct Volume Access.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.