Skip to content

Hide Navigation Hide TOC

HKTL - SharpSuccessor Privilege Escalation Tool Execution (38a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8)

Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.

Cluster A Galaxy A Cluster B Galaxy B Level
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern HKTL - SharpSuccessor Privilege Escalation Tool Execution (38a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8) Sigma-Rules 1