What are the two file-writing methods in ProxyShell, and how do they compare in terms of stealth and cleanup?

The two methods are: (1) `New-MailboxExportRequest`, which exports an email containing the payload to a specified file path, but requires adding the user to the `Mailbox Import Export` role and leaves export requests that can be cleared with `-CompletedRequestAgeLimit 0`. (2) `New-ExchangeCertificate`, which writes the payload into a certificate subject, is quicker but has syntax restrictions on special characters. Both require careful cleanup—removing export requests or certificates—to avoid detection. For more on the broader exploitation flow, see the ProxyShell Exploitation Analysis 2.