Preparation
AI-Assisted Capability Development
Archive Data
Authorization Token Staging
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Delegated Preparation via Artificial Intelligence Agents
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Hardware-Based Remote Access (IP-KVM)
Impersonation
Increase Privileges
IT Ticketing System Exploration
Joiner
Media Capture via External Device
Mover
Network Scanning
Observational Information Gathering
On-Screen Data Collection
Oversight Circumvention and Control Degradation
Persistent Access via Bots
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installation of Dark Web-Capable Browsers
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
Testing Security Controls
VPN Usage
- ID: PR020.004
- Created: 15th May 2026
- Updated: 15th May 2026
- Contributor: The ITM Team
Masquerading Sensitive Data as Personal Files
A subject intentionally alters the filename, file extension, metadata tags, document properties, or visible descriptive attributes of sensitive organizational data to make it appear to be benign personal information. This may include disguising proprietary, regulated, technical, financial, customer, or strategic material as photographs, household records, recipes, receipts, travel documents, music files, temporary files, or other low-risk personal content.
This technique is typically performed before data staging, transfer, or exfiltration. It may reduce scrutiny during manual review, mislead investigators during triage, or weaken controls that rely on filename, extension, path, metadata, or user-applied classification fields. Investigators should assess this behavior in proximity to file access, bulk download, archive creation, removable media use, cloud upload, email transmission, or other indicators of planned data loss.
A common scenario occurs during offboarding, where a subject is permitted to remove or transfer legitimate personal files from a corporate device before returning the asset. The subject may exploit this authorized window by disguising sensitive organizational data as personal material, relying on the expectation that files labeled as photographs, tax records, household documents, or other personal content will receive less scrutiny. This behavior can create ambiguity for investigators because the initial transfer context may appear procedurally authorized, while the concealed content indicates preparation for later exfiltration or unauthorized retention.
Examples of Use
- A subject renames 2026_Product_Roadmap.xlsx to holiday_budget.xlsx before copying it to removable media.
- A subject changes customer_export.csv to family_photos.tmp and stores it in a personal folder prior to upload.
- A subject modifies document properties, author fields, tags, or comments to remove project, client, or classification references.
- A subject applies misleading metadata such as “personal,” “recipe,” “tax,” “school,” or “photos” to files containing proprietary information.
- A subject changes an engineering design file extension to appear as a media, text, or backup file before moving it into a staged directory.