HKTL - SharpSuccessor Privilege Escalation Tool Execution

Original Source: [Sigma source]
Title: HKTL - SharpSuccessor Privilege Escalation Tool Execution
Status: experimental
Description:Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
References:
  -https://github.com/logangoins/SharpSuccessor
 Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-06-06
modified:None
Tags:
  • -'attack.privilege-escalation'
  • -'attack.t1068'
Logsource:
  • category: process_creation
  • product: windows
Detection:
  selection:
Image|endswith:'\SharpSuccessor.exe' OriginalFileName:'SharpSuccessor.exe' CommandLine|contains:'SharpSuccessor'     - CommandLine|contains|all:
      - ' add '
      - ' /impersonate'
      - ' /path'
      - ' /account'
      - ' /name'
  condition:selection
Falsepositives:
  -Unknown
Level: high

© 2024 DetectionCode Website. All Rights Reserved.