What is the more stealthy method involving desktop.ini to capture NTLMv2 hashes, and how does it compare to using SCF files?

The stealthier method modifies the `desktop.ini` file in a folder to include an `IconResource` attribute pointing to a UNC path on a fake file server. Unlike SCF files, this does not require adding an extra file to the share—only the existing `desktop.ini` is edited. When the user opens that folder, Windows automatically connects to the fake server to retrieve the icon, transmitting the user's NTLMv2 hash. This approach is more covert than SCF files, but may require administrator privileges for some folders.