In the very specific case that you:

• Are in a Pentest
• This Pentest is Internal
• You have Internal Positionining
• You are using some Linux
• You are attacking Windows
• HTTP/S, Raw TCP(, etc) Shells are all blocked
  • Closed ports
  • Behaviorals
  • any kind of weird sorcery casted by NetAdmins

Then you could use...

and make you victims talk to you through SMB (duh)