How Microsoft Defender for Identity protects against DFSCoerce - Microsoft Tech Community

Almost a year has passed since the “PetitPotam” attack vector was initially discovered. Shortly after, Microsoft Defender for Identity provided detection capabilities for this vulnerability. Earlier this month, a new attack vector that was inspired by PetitPotam was published by Filip Dragovic. The attack, which was later dubbed “DFSCoerce” can exploit the DFS-NM protocol to coerce the Domain Controller to authenticate against an NTLM Relay attack. This has the potential to allow a non-privileged user in the domain to become a domain admin.