The rule detects the execution of SharpSuccessor, a tool designed to exploit the BadSuccessor vulnerability in Windows Server 2025 Active Directory environments. Successful execution of this tool allows attackers to escalate their privileges and gain domain admin access. The detection focuses on various indicators of execution, specifically looking for the process image file name, original file name, and specific command line parameters associated with the execution of the SharpSuccessor tool. The rule is classified as high alert due to the severe implications of successful exploitation. The detection relies on observation of process creations and is tuned to identify commands that suggest misuse of the tool. This implementation utilizes a comprehensive selection mechanism to minimize false positives, although the current knowledge base has not definitively identified known false positives.