Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

HKTL - SharpSuccessor Privilege Escalation Tool Execution

Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Fri Jun 0638a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        - Image|endswith: '\SharpSuccessor.exe'
        - OriginalFileName: 'SharpSuccessor.exe'
        - CommandLine|contains: 'SharpSuccessor'
        - CommandLine|contains|all:
              - ' add '
              - ' /impersonate'
              - ' /path'
              - ' /account'
              - ' /name'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
38a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8
Status
experimental
Level
high
Type
Detection
Created
Fri Jun 06
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_hktl_sharpsuccessor_execution.yml
Raw Tags
attack.privilege-escalationattack.t1068
View on GitHub