Threat actors may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.