CVE-2026-1731 Elastic Security · Elastic

Detect BeyondTrust Remote Support Pre-Auth RCE (CVE-2026-1731) in Elastic Security

Detects exploitation of CVE-2026-1731, a pre-authentication remote code execution vulnerability (CWE-78, OS command injection) in BeyondTrust Remote Support and Privileged Remote Access. CVSS 9.8. Actively exploited in the wild (CISA KEV). Attackers can execute arbitrary OS commands without authentication via crafted HTTP requests to the appliance web interface.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [process where process.parent.name : ("bomgar*", "beyondtrust*", "remote_support*", "rs_app*", "pra*")
   and process.name : ("cmd.exe", "powershell.exe", "sh", "bash", "python*", "wget", "curl", "nc", "ncat", "whoami", "id")]
  [any where
    (event.category == "network" and destination.port not in (80, 443, 8080, 8443) and destination.ip != null)
    or
    (event.category == "file" and file.path : ("/tmp/*", "C:\\Windows\\Temp\\*", "C:\\Users\\*\\AppData\\Local\\Temp\\*"))
  ]
critical severity high confidence

EQL sequence detection: identifies a BeyondTrust parent process spawning a suspicious shell or utility binary, followed within 5 minutes by an anomalous outbound network connection or suspicious file drop — characteristic of post-exploitation after CVE-2026-1731 pre-auth RCE.

Data Sources

Elastic EndpointElastic Agent (Network)Elastic Agent (File)

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.network-*logs-endpoint.events.file-*

False Positives & Tuning

  • BeyondTrust update routines that download patches via curl or wget to temp directories
  • Legitimate administrative health-check scripts spawned by the appliance service account
  • Security tooling that injects into appliance processes for DLP or DRM monitoring purposes

Other platforms for CVE-2026-1731

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-1731 PoC HTTP Request Simulation

    Expected signal: IIS/nginx access log entry: POST /api/unauthenticated/session with user-agent 'CVE-2026-1731-PoC-Test' and POST body containing ';id;whoami;'. WAF should log or block the request.

  2. Test 2BeyondTrust Service Account Spawning Shell (Simulated Post-Exploitation)

    Expected signal: Windows Security Event 4688: new process cmd.exe with parent process belonging to BeyondTrust service account (btrs_service). Process command line contains whoami, hostname, ipconfig, net user.

  3. Test 3BeyondTrust Process Outbound Reverse Shell Simulation

    Expected signal: Linux auditd execve syscall: bash -i spawned by beyondtrust service process. Network connection record: beyondtrust process connecting outbound to LAB_ATTACKER_IP:4444 (non-standard port, external IP).

Last updated: 2026-06-20 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2026-1731 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections