How does an attacker install a malicious Transport Agent on an Exchange server?

An attacker compiles a C# class library that references `Microsoft.Exchange.Data.Transport.dll`, implementing a transport agent factory and agent class. The DLL is copied to the server, then installed via Exchange PowerShell commands: `Install-TransportAgent`, `Enable-TransportAgent`, and a restart of the MSExchangeTransport service. This installation method is also used in related Exchange attacks, such as Penetration Techniques - From Exchange File Read/Write Permissions to Command Execution.