What are the recommended defense strategies against SCF and desktop.ini icon-based NTLM hash theft?

Defenses include regularly scanning file shares for `.scf` and `desktop.ini` files that contain UNC paths in `IconFile` or `IconResource` attributes. If UNC icon paths are not required, block outbound SMB traffic on ports 139 and 445 using firewalls to prevent hash leakage. Additionally, educate users to avoid opening untrusted shares. For more on hash capture techniques, refer to Penetration Techniques - Using PHP Scripts to Obtain Net-NTLM Hash from Browsers.