On February 13, 2026, CISA gave the organizations three days to eliminate CVE-2026-1731 - pre-authentiction RCE in BeyondTrust Remote Support with CVSS 9.9. Three days. The operation was in active ransomware campaigns even before most teams managed to download the patch, not to mention testing.
For an attacker, the compromised endpoint control system is not one point point, but hundreds at the same time: each controlled endpoint becomes the next target through the standard software deployment mechanisms. Do not need your own C2 - it is already standing, paid and signed by the vendor.
Below is the analysis of the kill chain from pre-auth RCE to the lateral movement, ready-made Sigma rules for SOC and hardening checklist.
Business logic of attack: why endpoint management is a priority target
Endpoint control systems - BeyondTrust, ConnectWise ScreenConnect, SimpleHel - are built on a trust architecture. The agent at each host receives commands from the central server without additional authentication. For the IT department, this is a convenience. For the attacker - a ready-made C2-channel with legitimate traffic, indistinguishable from baseline.
Three reasons why this is the number one target:
1. One compromised console gives commands on all controlled machines through standard software (T1072, Software Deployment Tools, MITRE AT&CK). Cobalt Strike is not needed - a full-time agent grabs the eye.
2. RMM traffic between agent and server - baseline for SOC. Encrypted, on standard ports, processes signed. The SOC doesn't touch it because "it's our tool."
3. Agents work under privileged accounts. Compromise of the server opens access to the saved credentials or allows you to intercept hashes during authentication.
Financial context: According to Verizon DBIR 2025, the median amount of the repurchase paid is $46,000, the maximum fixed is $75M. For the healthcare sector, where Qilin and Akira remain the most active groups (resomware.live data for June 2026: 15 and 9 victims in the last 100 publications, respectively), the consequences go beyond redemption: negotiable fines for leaking personal data of patients, simple clinical equipment, criminal liability in proven negligence. According to the IBM X-Force 2025, 70% of the attacks affected critical infrastructure.
Kill chain: from pre-auth RCE to the element movement through RMM
T+5 minutes. Credential harvesting. On the RMM server, privileged processes work - NTLM-hes of domain accounts are extracted from their memory. Additional vector - CVE-2025-24054 (CVSS 6.5, CWE-73, external control of file name or path in Windows NTLM): through .library-ms files on the target network files, a NTLMv2 hash leak is initiated. In public access, there are three exploits'a (EDB-52480, EDB-52478, EDB-52280). CISA SSVC: Attend, exploitation active, but automatable: no - user action (UI:R) required.
T+15 minutes. Lateral movement. Through the regular RMM channel (UnbyTrust agent on target hosts) or through classic techniques:
• Pass the Hash (T1550.002T1550.002): NTLM hash from the previous step is reducted for authentication by SMB (port 445) or WMI (port 135). Predictions: NTLM included, no Credential Guard, no SMB micros segmentation.
• SMB/Windows Admin Shares (T1021.002): PsExec or Impacket smbexecConnects to ADMIN$ share, copies the binary and runs it. According to CISA #StopRansomware advisers, Conti, Black Basta, Akira and LockBit use PsExec as the main ransomware distribution tool. Predictions: stolen admin credentials, SMB-connectiontation-to-workstation.
• RDP (T1021.001): Preconditions - RDP on, NLA is disabled or off, there is no network restriction of RDP-access.
T+30-60 minutes. According to CrowdStrike GTR 2025, the average breakout time in eCrimre-operations is 62 min. (record: 51 p.). As part of this window - ransom projectware through the standard mechanisms of the deployed software RMM-platform. Hour and everything is encrypted. Through your own administration tool.
A separate trend: ransomware-groups consciously switch to less common RMM tools. Oriental distribution based on ReliaQuest publications (exact figures are not verified by source):
SimpleHelp and Nezga are used precisely because most SOC teams build analting around ConnectWise and AnyDek. Small install base tools are a blind area. No rules, no ailets. There are no ailems, no incident. Until the moment it's late.
Detection: Sigma-rules and correlation for SOC
Key Sigma Rules by TTP
For each technique, SigmaHQ has ready-made rules. I bring the keys to the sellers of SIEM.
T1550.002 (Pass the Hash) - 6 rules in SigmaHQ:
• win_security_pass_the_hash_2.yml- PtH through account management (Security log, EventID 4624/4625)
• win_susp_ntlm_auth.yml- anomalous NTLM-authentication
• win_system_lsasrv_ntlmv1.yml- NTLMv1-connection (System log, LsaSrv) - an outdated protocol, in 2026 it is almost always an indicator of the attack
T1021.001 (Remute Desktop Protocol) - 16 rules:
• win_security_rdp_reverse_tunnel.yml- RDP tunnels via SSH
• zeek_rdp_public_listener.yml- RDP with public IP (network level, Zeek)
• proc_creation_win_ssh_port_forward.yml- SSH port forwarding for RDP
T1021.002 (SMB/Admin Shares) - 43 rules:
• zeek_smb_converted_win_susp_psexec.yml- PsExec via SMB (Zeek)
• pipe_created_pua_remcom_default_pipe.yml- pipe named RemCom (Sysmon EventID 17/18)
• posh_ps_susp_new_psdrive.yml- PowerShell-mapping of network disks
Example Sigma-rules for Pass the Hash detection (adaptation win_security_pass_the_hash_2.yml):
YAML:
title: Potential Pass the Hash Activity
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
LogonProcessName: 'NtLmSsp'
AuthenticationPackageName: 'NTLM'
KeyLength: 0
filter:
TargetUserName: 'ANONYMOUS LOGON'
condition: selection and not filter
level: medium
The rule works on the network logon (type 3) through NTLM with zero key length - the characteristic PtH pattern. In CrowdStrike Falcon, this pattern is covered through the Identity Threat Detection; in Elastic Security 8.x+ - through the built-in ML rules for the lateral movement. In Kaspersky EDR Expert, similar logic is implemented through custom IoA rules with filtering by EventID 4624 + LogonType 3.
Nuance: The rule generates false positives in environments with LEASI applications on NTLM. Before turning on - baseline 2-4 weeks, otherwise you will drown in altrates.
Correlation logic and D3FEND countermeasures
The Detection Script for RMMs is built on three layers:
Layer 1: process anomaly on the RMM server. Any cmd.exe, powershell.exe or bash, running as a child process RMM service (bumgarservice.exe, screenconnect.exe) - high altrate. Elastic Security 8.x+: pattern process where process.parent.name in ("Bomgar", "bomgar-scc", "screenconnect.clientservice.exe") and process.name in ("cmd.exe", "powershell.exe") (process names depend on the version and component – check with BeyondTrust KB and actual processes in your environment). In SentinelOne: Deep Visibility query on parent name.
Layer 2: Unfamiliar RMM agent. SHA256-heshi SimpleHelp, Nezha, MeshAgent - in the black list of Application Control. In CrowdStrike Falcon - through the IOA-rule to create a process with a coincidence on the hash. In Kaspersky EDR Expert - through Application deny Control in-by-default mode. If one RMM is approved in your environment, everything else is blocked. The Point.
Layer 3: SMB workstation-to-workstation. The work station initiates an SMB connection to ADMIN$ at another workstation. In the normal mode, such traffic is practically absent. Sigma: zeek_smb_converted_win_susp_psexec.yml at the network level; on host - Sysmon EventID 17/18 for named pipes.
MITRE D3FEND recommends specific protective equipment:
Adversary simulation and hardening
Emulation TTP through Atomic Red Team
Adjustments to the environment:
• OS: Windows Server 2019/2022 (DC + member server), Windows 10/11 (working stations)
• RAM: minimum 16 GB for 3 VM, recommended 24 GB
• Tools: Atomic Red Team (active project, github.com/recanynarco/atomic-red-team), Mimikatz, Impacket
• Network: isolated laba, host-only
• EDR (optional): CrowdStrike Falcon Trial or Elastic Agent (free license) to check the detective
Ready-made tests of Atomic Red Team for the described TTP:
• T1550.002 (3 tests): Mimikatz PtH, crackmapeexc PtH, Invoke-WMIExec PtH
• T1021.002 (3 tests): Map admin share, Map ADMin Share PowerShell, Copy and Execute File with PsExec
• T1021.001 (3 tests): RDP to DomainController, Changing RDP Port (PowerShell and cmd)
Running the PtH test and checking the gap:
Code:
# Atomic Red Team: T1550.002 Test #2 - crackmapexec PtH
Invoke-AtomicTest T1550.002 -TestNumbers 2
# After execution, check the SIEM for Sigma rule triggers
# No alert = detection gap; document and close
After running out of each test, check whether the rule worked from the previous partition in your SIEM. There is no alerta - document the gap and write a new rule. Without this cycle "test -> check-out -> rule" all Sigma-rules above - theory.
Hardening-checklist
1. RMM allowlist. Make a approved list of RMM tools. Everything else is to block through Application Control (CrowdStrike Falcon, Kaspersky EDR Expert, SentinelOne).
2. Patch CVE-2026-1731.. Update BeyondTrust RS/PRA. If it is impossible - isolate from the Internet or decommission (CISA recommendation).
3. SMB workstation-to-workstation - ban. Through Windows Firewall GPO or microsegmentation: workstations do not connect via SMB to other workstations. Only management dedicated servers.
4. Disable NTLMv1. GPO: LmCompatibilityLevel = 5. Monitoring via Sigma win_system_lsasrv_ntlmv1.yml.
5. Credential Guard. Insert on Windows 10/11, Server 2016+. Blocks the extraction of NTLM hashesha via Mimincatz.
6. LAPS. Deploy Local Administrator Password Solution - rotation of local admin passwords exclude reuse hash at the lateral movement.
7. RDP is only with dedicated admin workstations. Include NLA. Sigma: win_security_not_allowed_rdp_access.ymlfor monitoring.
8. Sysmon EventID 17/18. Monitoring named pipes for RemCom/PsExec detection.
9. Audit ADMIN$ shares. Windows Security EventID 5140/5145 - log all appeals.
10. Baseline RMM traffic. Document the normal traffic pattern between an RMM server and agents. Alert on volume anomalies (D3-PHDURA).
In my practice, adversary simulation (7 organizations in two years) in five cases, RMM traffic was not monitored at all. The sample is small, but the pattern is stable. And the reason is not in the weakness of SOC - RMM was perceived as "our tool", not a potential C2. This is a fundamental perceptual error, especially characteristic of healthcare projects, where BeyondTrust serves medical equipment.
For an attacker, the compromised endpoint control system is not one point point, but hundreds at the same time: each controlled endpoint becomes the next target through the standard software deployment mechanisms. Do not need your own C2 - it is already standing, paid and signed by the vendor.
Below is the analysis of the kill chain from pre-auth RCE to the lateral movement, ready-made Sigma rules for SOC and hardening checklist.
Business logic of attack: why endpoint management is a priority target
Endpoint control systems - BeyondTrust, ConnectWise ScreenConnect, SimpleHel - are built on a trust architecture. The agent at each host receives commands from the central server without additional authentication. For the IT department, this is a convenience. For the attacker - a ready-made C2-channel with legitimate traffic, indistinguishable from baseline.
Three reasons why this is the number one target:
1. One compromised console gives commands on all controlled machines through standard software (T1072, Software Deployment Tools, MITRE AT&CK). Cobalt Strike is not needed - a full-time agent grabs the eye.
2. RMM traffic between agent and server - baseline for SOC. Encrypted, on standard ports, processes signed. The SOC doesn't touch it because "it's our tool."
3. Agents work under privileged accounts. Compromise of the server opens access to the saved credentials or allows you to intercept hashes during authentication.
Financial context: According to Verizon DBIR 2025, the median amount of the repurchase paid is $46,000, the maximum fixed is $75M. For the healthcare sector, where Qilin and Akira remain the most active groups (resomware.live data for June 2026: 15 and 9 victims in the last 100 publications, respectively), the consequences go beyond redemption: negotiable fines for leaking personal data of patients, simple clinical equipment, criminal liability in proven negligence. According to the IBM X-Force 2025, 70% of the attacks affected critical infrastructure.
Kill chain: from pre-auth RCE to the element movement through RMM
T+5 minutes. Credential harvesting. On the RMM server, privileged processes work - NTLM-hes of domain accounts are extracted from their memory. Additional vector - CVE-2025-24054 (CVSS 6.5, CWE-73, external control of file name or path in Windows NTLM): through .library-ms files on the target network files, a NTLMv2 hash leak is initiated. In public access, there are three exploits'a (EDB-52480, EDB-52478, EDB-52280). CISA SSVC: Attend, exploitation active, but automatable: no - user action (UI:R) required.
T+15 minutes. Lateral movement. Through the regular RMM channel (UnbyTrust agent on target hosts) or through classic techniques:
• Pass the Hash (T1550.002T1550.002): NTLM hash from the previous step is reducted for authentication by SMB (port 445) or WMI (port 135). Predictions: NTLM included, no Credential Guard, no SMB micros segmentation.
• SMB/Windows Admin Shares (T1021.002): PsExec or Impacket smbexecConnects to ADMIN$ share, copies the binary and runs it. According to CISA #StopRansomware advisers, Conti, Black Basta, Akira and LockBit use PsExec as the main ransomware distribution tool. Predictions: stolen admin credentials, SMB-connectiontation-to-workstation.
• RDP (T1021.001): Preconditions - RDP on, NLA is disabled or off, there is no network restriction of RDP-access.
T+30-60 minutes. According to CrowdStrike GTR 2025, the average breakout time in eCrimre-operations is 62 min. (record: 51 p.). As part of this window - ransom projectware through the standard mechanisms of the deployed software RMM-platform. Hour and everything is encrypted. Through your own administration tool.
A separate trend: ransomware-groups consciously switch to less common RMM tools. Oriental distribution based on ReliaQuest publications (exact figures are not verified by source):
SimpleHelp and Nezga are used precisely because most SOC teams build analting around ConnectWise and AnyDek. Small install base tools are a blind area. No rules, no ailets. There are no ailems, no incident. Until the moment it's late.
Detection: Sigma-rules and correlation for SOC
Key Sigma Rules by TTP
For each technique, SigmaHQ has ready-made rules. I bring the keys to the sellers of SIEM.
T1550.002 (Pass the Hash) - 6 rules in SigmaHQ:
• win_security_pass_the_hash_2.yml- PtH through account management (Security log, EventID 4624/4625)
• win_susp_ntlm_auth.yml- anomalous NTLM-authentication
• win_system_lsasrv_ntlmv1.yml- NTLMv1-connection (System log, LsaSrv) - an outdated protocol, in 2026 it is almost always an indicator of the attack
T1021.001 (Remute Desktop Protocol) - 16 rules:
• win_security_rdp_reverse_tunnel.yml- RDP tunnels via SSH
• zeek_rdp_public_listener.yml- RDP with public IP (network level, Zeek)
• proc_creation_win_ssh_port_forward.yml- SSH port forwarding for RDP
T1021.002 (SMB/Admin Shares) - 43 rules:
• zeek_smb_converted_win_susp_psexec.yml- PsExec via SMB (Zeek)
• pipe_created_pua_remcom_default_pipe.yml- pipe named RemCom (Sysmon EventID 17/18)
• posh_ps_susp_new_psdrive.yml- PowerShell-mapping of network disks
Example Sigma-rules for Pass the Hash detection (adaptation win_security_pass_the_hash_2.yml):
YAML:
title: Potential Pass the Hash Activity
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
LogonProcessName: 'NtLmSsp'
AuthenticationPackageName: 'NTLM'
KeyLength: 0
filter:
TargetUserName: 'ANONYMOUS LOGON'
condition: selection and not filter
level: medium
The rule works on the network logon (type 3) through NTLM with zero key length - the characteristic PtH pattern. In CrowdStrike Falcon, this pattern is covered through the Identity Threat Detection; in Elastic Security 8.x+ - through the built-in ML rules for the lateral movement. In Kaspersky EDR Expert, similar logic is implemented through custom IoA rules with filtering by EventID 4624 + LogonType 3.
Nuance: The rule generates false positives in environments with LEASI applications on NTLM. Before turning on - baseline 2-4 weeks, otherwise you will drown in altrates.
Correlation logic and D3FEND countermeasures
The Detection Script for RMMs is built on three layers:
Layer 1: process anomaly on the RMM server. Any cmd.exe, powershell.exe or bash, running as a child process RMM service (bumgarservice.exe, screenconnect.exe) - high altrate. Elastic Security 8.x+: pattern process where process.parent.name in ("Bomgar", "bomgar-scc", "screenconnect.clientservice.exe") and process.name in ("cmd.exe", "powershell.exe") (process names depend on the version and component – check with BeyondTrust KB and actual processes in your environment). In SentinelOne: Deep Visibility query on parent name.
Layer 2: Unfamiliar RMM agent. SHA256-heshi SimpleHelp, Nezha, MeshAgent - in the black list of Application Control. In CrowdStrike Falcon - through the IOA-rule to create a process with a coincidence on the hash. In Kaspersky EDR Expert - through Application deny Control in-by-default mode. If one RMM is approved in your environment, everything else is blocked. The Point.
Layer 3: SMB workstation-to-workstation. The work station initiates an SMB connection to ADMIN$ at another workstation. In the normal mode, such traffic is practically absent. Sigma: zeek_smb_converted_win_susp_psexec.yml at the network level; on host - Sysmon EventID 17/18 for named pipes.
MITRE D3FEND recommends specific protective equipment:
Adversary simulation and hardening
Emulation TTP through Atomic Red Team
Adjustments to the environment:
• OS: Windows Server 2019/2022 (DC + member server), Windows 10/11 (working stations)
• RAM: minimum 16 GB for 3 VM, recommended 24 GB
• Tools: Atomic Red Team (active project, github.com/recanynarco/atomic-red-team), Mimikatz, Impacket
• Network: isolated laba, host-only
• EDR (optional): CrowdStrike Falcon Trial or Elastic Agent (free license) to check the detective
Ready-made tests of Atomic Red Team for the described TTP:
• T1550.002 (3 tests): Mimikatz PtH, crackmapeexc PtH, Invoke-WMIExec PtH
• T1021.002 (3 tests): Map admin share, Map ADMin Share PowerShell, Copy and Execute File with PsExec
• T1021.001 (3 tests): RDP to DomainController, Changing RDP Port (PowerShell and cmd)
Running the PtH test and checking the gap:
Code:
# Atomic Red Team: T1550.002 Test #2 - crackmapexec PtH
Invoke-AtomicTest T1550.002 -TestNumbers 2
# After execution, check the SIEM for Sigma rule triggers
# No alert = detection gap; document and close
After running out of each test, check whether the rule worked from the previous partition in your SIEM. There is no alerta - document the gap and write a new rule. Without this cycle "test -> check-out -> rule" all Sigma-rules above - theory.
Hardening-checklist
1. RMM allowlist. Make a approved list of RMM tools. Everything else is to block through Application Control (CrowdStrike Falcon, Kaspersky EDR Expert, SentinelOne).
2. Patch CVE-2026-1731.. Update BeyondTrust RS/PRA. If it is impossible - isolate from the Internet or decommission (CISA recommendation).
3. SMB workstation-to-workstation - ban. Through Windows Firewall GPO or microsegmentation: workstations do not connect via SMB to other workstations. Only management dedicated servers.
4. Disable NTLMv1. GPO: LmCompatibilityLevel = 5. Monitoring via Sigma win_system_lsasrv_ntlmv1.yml.
5. Credential Guard. Insert on Windows 10/11, Server 2016+. Blocks the extraction of NTLM hashesha via Mimincatz.
6. LAPS. Deploy Local Administrator Password Solution - rotation of local admin passwords exclude reuse hash at the lateral movement.
7. RDP is only with dedicated admin workstations. Include NLA. Sigma: win_security_not_allowed_rdp_access.ymlfor monitoring.
8. Sysmon EventID 17/18. Monitoring named pipes for RemCom/PsExec detection.
9. Audit ADMIN$ shares. Windows Security EventID 5140/5145 - log all appeals.
10. Baseline RMM traffic. Document the normal traffic pattern between an RMM server and agents. Alert on volume anomalies (D3-PHDURA).
In my practice, adversary simulation (7 organizations in two years) in five cases, RMM traffic was not monitored at all. The sample is small, but the pattern is stable. And the reason is not in the weakness of SOC - RMM was perceived as "our tool", not a potential C2. This is a fundamental perceptual error, especially characteristic of healthcare projects, where BeyondTrust serves medical equipment.
