Detect BeyondTrust Remote Support Pre-Auth RCE (CVE-2026-1731) in CrowdStrike LogScale
Detects exploitation of CVE-2026-1731, a pre-authentication remote code execution vulnerability (CWE-78, OS command injection) in BeyondTrust Remote Support and Privileged Remote Access. CVSS 9.8. Actively exploited in the wild (CISA KEV). Attackers can execute arbitrary OS commands without authentication via crafted HTTP requests to the appliance web interface.
MITRE ATT&CK
LogScale Detection Query
// CVE-2026-1731 BeyondTrust Pre-Auth RCE Detection
#repo=base_activities
| filter event_simpleName IN ("ProcessRollup2", "NetworkConnectIP4", "NetworkConnectIP6", "SyntheticProcessRollup2")
// Signal 1: Suspicious child process under BeyondTrust parent
| case {
event_simpleName IN ("ProcessRollup2", "SyntheticProcessRollup2"):
filter match(tolower(ParentBaseFileName), "bomgar*") OR
match(tolower(ParentBaseFileName), "beyondtrust*") OR
match(tolower(ParentBaseFileName), "remote_support*") OR
match(tolower(ParentBaseFileName), "rs_app*")
| filter match(tolower(FileName), "cmd.exe") OR
match(tolower(FileName), "powershell.exe") OR
match(tolower(FileName), "bash") OR
match(tolower(FileName), "sh") OR
match(tolower(FileName), "python*") OR
match(tolower(FileName), "wget") OR
match(tolower(FileName), "curl") OR
match(tolower(FileName), "nc") OR
match(tolower(FileName), "whoami")
| eval detection_type="SuspiciousChildProcess";
event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6"):
filter match(tolower(ImageFileName), "bomgar*") OR
match(tolower(ImageFileName), "beyondtrust*") OR
match(tolower(ImageFileName), "remote_support*")
| filter NOT (RemotePort IN (80, 443, 8080, 8443))
| filter NOT match(RemoteIP, "^10\\.|^192\\.168\\.|^172\\.(1[6-9]|2[0-9]|3[01])\\.")
| eval detection_type="AnomalousOutboundConnection";
}
| select timestamp, aid, ComputerName, detection_type, ParentBaseFileName, FileName, CommandLine, RemoteIP, RemotePort
| sort timestamp descCrowdStrike Falcon Insight CQL detecting CVE-2026-1731 via two signal paths on managed endpoints running BeyondTrust: suspicious child processes under BeyondTrust parent executables, and anomalous outbound network connections initiated by BeyondTrust processes to non-standard ports on public IPs.
Data Sources
Required Tables
False Positives & Tuning
- BeyondTrust appliance update processes that spawn shell utilities to install patches
- Authorized red team operations targeting BeyondTrust infrastructure with documented scope
- BeyondTrust integrations with third-party SIEM/SOAR platforms that initiate outbound connections on non-standard ports
Other platforms for CVE-2026-1731
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-1731 PoC HTTP Request Simulation
Expected signal: IIS/nginx access log entry: POST /api/unauthenticated/session with user-agent 'CVE-2026-1731-PoC-Test' and POST body containing ';id;whoami;'. WAF should log or block the request.
- Test 2BeyondTrust Service Account Spawning Shell (Simulated Post-Exploitation)
Expected signal: Windows Security Event 4688: new process cmd.exe with parent process belonging to BeyondTrust service account (btrs_service). Process command line contains whoami, hostname, ipconfig, net user.
- Test 3BeyondTrust Process Outbound Reverse Shell Simulation
Expected signal: Linux auditd execve syscall: bash -i spawned by beyondtrust service process. Network connection record: beyondtrust process connecting outbound to LAB_ATTACKER_IP:4444 (non-standard port, external IP).
References (5)
Unlock Pro Content
Get the full detection package for CVE-2026-1731 including response playbook, investigation guide, and atomic red team tests.