Infringement
Codebase Integrity Compromise
Data Loss
Delegated Execution via Artificial Intelligence Agents
Denial of Service
Digital Defacement
Disruption of Business Operations
Excessive Personal Use
Exfiltration via Automated Transcription
Exfiltration via Email
Exfiltration via Media Capture
Exfiltration via Messaging Applications
Exfiltration via Other Network Medium
Exfiltration via Physical Medium
- Exfiltration via Bring Your Own Device (BYOD)
- Exfiltration via Disk Media
- Exfiltration via Floppy Disk
- Exfiltration via New Internal Drive
- Exfiltration via Physical Access to System Drive
- Exfiltration via Physical Documents
- Exfiltration via Target Disk Mode
- Exfiltration via USB Mass Storage Device
- Exfiltration via USB to Mobile Device
- Exfiltration via USB to USB Data Transfer
Exfiltration via Screen Sharing
Exfiltration via SMS/MMS
Exfiltration via Web Service
External Credential Sharing
Harassment and Discrimination
Inappropriate Web Browsing
Installing Malicious Software
Installing Unapproved Software
Internal Credential Sharing
Misappropriation of Funds
Non-Corporate Device
Providing Access to a Unauthorized Third Party
Public Statements Resulting in Brand Damage
Regulatory Non-Compliance
Sharing on AI Chatbot Platforms
Theft
Unauthorized Changes to IT Systems
Unauthorized Presence in Restricted Physical Areas
Unauthorized Printing of Documents
Unauthorized VPN Client
Unauthorized Work Location
Unlawfully Accessing Copyrighted Material
- ID: IF003
- Created: 31st May 2024
- Updated: 28th April 2026
- Contributor: The ITM Team
Exfiltration via Media Capture
Exfiltration via media capture refers to the extraction of sensitive information through the recording of visual or auditory content using capture mechanisms that operate outside organizational control. This includes the use of external devices, embedded system tools, or third-party applications to record screens, documents, or conversations and convert them into transferable media formats such as images, video, audio, or structured transcripts.
This category is defined not by the type of data being accessed, but by the method of extraction, specifically, the transformation of information into captured media in order to bypass conventional monitoring and control mechanisms. In these scenarios, the subject does not transfer files or data through approved or monitored channels. Instead, they reproduce the information in an alternate form that can be removed without generating traditional indicators of exfiltration.
Media capture techniques are particularly effective in environments where digital controls are mature, such as strong data loss prevention (DLP), restricted file transfer mechanisms, or monitored endpoints. As these controls limit conventional exfiltration paths, subjects may shift toward out-of-band capture methods that operate beyond system visibility.
This behavior may be opportunistic or deliberate. In lower-control environments, subjects may casually capture information with minimal consideration of detection. In higher-control environments, the use of media capture may indicate awareness of monitoring capabilities and an intentional effort to circumvent them. In both cases, the technique exploits a fundamental gap between information exposure and information control, once data is visible or spoken, it becomes inherently difficult to contain.
Media capture also varies in its execution and detectability. Some techniques are rapid and discrete, such as still photography, while others involve sustained collection, such as video recording or continuous audio capture.
From an investigative perspective, this section represents a class of behaviors where traditional telemetry is limited or absent. Detection often relies on indirect indicators, environmental controls, or post-event analysis of leaked material. As a result, prevention and deterrence play a critical role, particularly through physical controls, policy enforcement, and attribution mechanisms such as watermarking.
This section is closely related to broader data loss behaviors, but is distinct in its reliance on out-of-band capture methods rather than direct data transfer .
Subsections (3)
| ID | Name | Description |
|---|---|---|
| IF003.003 | Exfiltration via Audio Capture | A subject captures sensitive information by recording audio using an external device, most commonly a personal mobile phone or wearable device. This typically involves recording conversations, meetings, phone calls, or ambient discussions where sensitive information is disclosed verbally.
Unlike visual capture techniques, audio capture does not require direct interaction with systems or documents. It enables the subject to collect information passively, often without needing to position a device toward a specific target. As a result, this method can be sustained over longer periods with reduced risk of detection, particularly in collaborative or discussion-heavy environments.
This technique operates entirely outside corporate monitoring controls, bypassing endpoint telemetry, data loss prevention (DLP), and access logging. It is particularly effective in environments where sensitive information is frequently communicated verbally, including meetings, support operations, incident response discussions, executive briefings, and informal conversations between colleagues.
Audio capture is often deliberate, as it requires forethought to record and later process the information. However, it may also be opportunistic, especially where subjects are routinely exposed to sensitive discussions. The presence of this behavior may indicate an intent to capture information that is not otherwise accessible in written or exportable form. |
| IF003.002 | Exfiltration via External Device Video Capture | A subject records sensitive information by capturing video using an external device, such as a personal mobile phone or standalone camera. This behavior typically involves filming screens, documents, or physical environments where sensitive information is displayed or discussed.
Unlike software-based screen recording or screenshot tools, this method operates outside corporate control boundaries. The capture process occurs entirely outside the monitored endpoint, bypassing data loss prevention (DLP), endpoint detection, and audit logging mechanisms.
This technique is commonly observed in controlled environments where digital exfiltration is restricted or heavily monitored. It may be opportunistic (such as quickly recording a screen) or deliberate, involving repeated capture of large volumes of information over time. The use of an external device can indicate subject awareness of monitoring controls and an intent to avoid traceable data transfer. |
| IF003.001 | Exfiltration via Photography | A subject captures sensitive information by taking still images using an external device, most commonly a personal mobile phone. This typically involves photographing screens, printed documents, whiteboards, or other visual representations of sensitive data within the organization’s environment.
Unlike video capture, photography enables rapid, low-friction extraction of discrete information with minimal dwell time. A subject can capture high volumes of content in short bursts without sustained or conspicuous behavior, making this technique particularly effective in environments with physical proximity to sensitive material but strong digital controls.
This method often operates entirely outside controlled systems and therefore bypasses endpoint monitoring, data loss prevention (DLP), and network-based detection mechanisms. It is frequently opportunistic, occurring during routine access to sensitive information, but may also be deliberate, such as systematically photographing documents, screens, or workflows over time.
Photography-based exfiltration is especially prevalent in environments where:
The presence of this behavior may indicate awareness of monitoring controls or a preference for low-risk, low-detectability exfiltration methods. |