Detection rules › Sigma
HKTL - SharpSuccessor Privilege Escalation Tool Execution
Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1068 Exploitation for Privilege Escalation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: selection
or:
CommandLine|contains: ' /account'
CommandLine|contains: ' /impersonate'
CommandLine|contains: ' /name'
CommandLine|contains: ' /path'
CommandLine|contains: ' add '
CommandLine|contains: SharpSuccessor
Image|endswith: '\SharpSuccessor.exe'
OriginalFileName: SharpSuccessor.exe
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|