HKTL - SharpSuccessor Privilege Escalation Tool Execution
Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
Sigma rule (View on GitHub)
1title: HKTL - SharpSuccessor Privilege Escalation Tool Execution
2id: 38a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8
3status: experimental
4description: |
5 Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.
6 Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
7references:
8 - https://github.com/logangoins/SharpSuccessor
9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-06-06
11tags:
12 - attack.privilege-escalation
13 - attack.t1068
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - Image|endswith: '\SharpSuccessor.exe'
20 - OriginalFileName: 'SharpSuccessor.exe'
21 - CommandLine|contains: 'SharpSuccessor'
22 - CommandLine|contains|all:
23 - ' add '
24 - ' /impersonate'
25 - ' /path'
26 - ' /account'
27 - ' /name'
28 condition: selection
29falsepositives:
30 - Unknown
31level: high
References
-
SharpSuccessor is a .NET Proof of Concept (POC) for fully weaponizing Yuval Gordon’s (@YuG0rd) BadSuccessor attack from Akamai. - logangoins/SharpSuccessor
Read More
Related rules
- Buffer Overflow Attempts
- Potential CVE-2024-35250 Exploitation Activity
- Exploiting CVE-2019-1388
- Potential CVE-2021-41379 Exploitation Attempt
- HackTool - SysmonEOP Execution