Detect BeyondTrust Remote Support Pre-Auth RCE (CVE-2026-1731) in Google Chronicle
Detects exploitation of CVE-2026-1731, a pre-authentication remote code execution vulnerability (CWE-78, OS command injection) in BeyondTrust Remote Support and Privileged Remote Access. CVSS 9.8. Actively exploited in the wild (CISA KEV). Attackers can execute arbitrary OS commands without authentication via crafted HTTP requests to the appliance web interface.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_1731_beyondtrust_preauth_rce {
meta:
author = "df00tech"
description = "Detects CVE-2026-1731 BeyondTrust Remote Support Pre-Auth RCE exploitation"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://www.beyondtrust.com/trust-center/security-advisories/bt26-02"
cve = "CVE-2026-1731"
events:
(
// Child process spawned by BeyondTrust parent
$e1.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e1.principal.process.parent_process.file.full_path, `(?i)(bomgar|beyondtrust|remote_support|rs_app|pra)`) and
re.regex($e1.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|/bin/sh|/bin/bash|python3?|wget|curl|ncat?|whoami|\bid\b)`)
) or
(
// Exploit-characteristic HTTP request to appliance
$e1.metadata.event_type = "NETWORK_HTTP" and
re.regex($e1.network.http.user_agent, `(?i)(python-requests|curl/|Go-http-client|CVE-2026-1731|exploit)`) and
re.regex($e1.target.url, `(?i)(/api/|/login|/appliance|/cgi-bin)`) and
$e1.network.http.method = "POST"
) or
(
// Command injection payload in BeyondTrust application log
$e1.metadata.product_name = /(?i)beyondtrust|remote.support|privileged.remote.access/ and
re.regex($e1.metadata.description, `(?i)(;id;|;whoami;|os\.system|shell_exec|exec\(|\$\(id\)|\$\(whoami\))`)
)
condition:
$e1
}Chronicle YARA-L rule detecting CVE-2026-1731 exploitation through three signal paths: BeyondTrust parent process spawning suspicious child binaries, exploit-characteristic HTTP POST requests to appliance endpoints, and command injection payloads appearing in BeyondTrust application log events.
Data Sources
Required Tables
False Positives & Tuning
- Authorized scripted integrations using python-requests to interact with BeyondTrust REST API
- BeyondTrust appliance automated update mechanism that spawns child processes including shell utilities
- Penetration tests with documented coverage of the BeyondTrust appliance
- Security scanning tools that POST to appliance health-check endpoints with curl user-agents
Other platforms for CVE-2026-1731
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-1731 PoC HTTP Request Simulation
Expected signal: IIS/nginx access log entry: POST /api/unauthenticated/session with user-agent 'CVE-2026-1731-PoC-Test' and POST body containing ';id;whoami;'. WAF should log or block the request.
- Test 2BeyondTrust Service Account Spawning Shell (Simulated Post-Exploitation)
Expected signal: Windows Security Event 4688: new process cmd.exe with parent process belonging to BeyondTrust service account (btrs_service). Process command line contains whoami, hostname, ipconfig, net user.
- Test 3BeyondTrust Process Outbound Reverse Shell Simulation
Expected signal: Linux auditd execve syscall: bash -i spawned by beyondtrust service process. Network connection record: beyondtrust process connecting outbound to LAB_ATTACKER_IP:4444 (non-standard port, external IP).
References (5)
Unlock Pro Content
Get the full detection package for CVE-2026-1731 including response playbook, investigation guide, and atomic red team tests.