HKTL - SharpSuccessor Privilege Escalation Tool Execution

Rule Info

Name
HKTL - SharpSuccessor Privilege Escalation Tool Execution
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
Reference
https://github.com/logangoins/SharpSuccessor
Date
2025-06-06 00:00:00
Modified
None
Id
38a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8
Tags
attack.privilege-escalation attack.t1068
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=38a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5471 from @swachchhanda000 - feat: BadSuccessor Exploits Detection
2025-06-12
cc747ed2e
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022