Detect BeyondTrust Remote Support Pre-Auth RCE (CVE-2026-1731) in IBM QRadar
Detects exploitation of CVE-2026-1731, a pre-authentication remote code execution vulnerability (CWE-78, OS command injection) in BeyondTrust Remote Support and Privileged Remote Access. CVSS 9.8. Actively exploited in the wild (CISA KEV). Attackers can execute arbitrary OS commands without authentication via crafted HTTP requests to the appliance web interface.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
destinationport,
username,
"processname",
"parentprocessname",
QIDNAME(qid) AS event_name,
category,
logsourcename(logsourceid) AS log_source,
UTF8(payload) AS raw_payload
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('BeyondTrust Remote Support', 'BeyondTrust PRA', 'Microsoft Windows Security Event Log', 'Apache Access Log', 'IIS')
AND (
(
LOWER("parentprocessname") MATCHES '.*bomgar.*|.*beyondtrust.*|.*remote_support.*|.*rs_app.*|.*pra.*'
AND LOWER("processname") IN ('cmd.exe', 'powershell.exe', 'sh', 'bash', 'python', 'python3', 'wget', 'curl', 'nc', 'whoami', 'id')
)
OR (
LOWER(UTF8(payload)) MATCHES '.*(exec|os\.system|shell_exec|command injection|;id;|;whoami;|\$\(id\)).*'
AND LOGSOURCETYPENAME(devicetype) IN ('BeyondTrust Remote Support', 'BeyondTrust PRA')
)
OR (
LOWER(UTF8(payload)) MATCHES '.*(python-requests|curl/|go-http-client|exploit|poc/cve-2026-1731).*'
AND category = 'Web'
)
)
LAST 24 HOURSQRadar AQL query detecting CVE-2026-1731 exploitation through BeyondTrust log sources showing command injection payloads, suspicious child process spawning from appliance parent processes, and exploit-characteristic HTTP user-agents in web access logs.
Data Sources
Required Tables
False Positives & Tuning
- Authorized BeyondTrust API integrations using python-requests or curl libraries in DevOps pipelines
- Penetration testing exercises with documented scope covering the BeyondTrust appliance
- BeyondTrust appliance diagnostic routines that spawn system utilities for health reporting
Other platforms for CVE-2026-1731
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-1731 PoC HTTP Request Simulation
Expected signal: IIS/nginx access log entry: POST /api/unauthenticated/session with user-agent 'CVE-2026-1731-PoC-Test' and POST body containing ';id;whoami;'. WAF should log or block the request.
- Test 2BeyondTrust Service Account Spawning Shell (Simulated Post-Exploitation)
Expected signal: Windows Security Event 4688: new process cmd.exe with parent process belonging to BeyondTrust service account (btrs_service). Process command line contains whoami, hostname, ipconfig, net user.
- Test 3BeyondTrust Process Outbound Reverse Shell Simulation
Expected signal: Linux auditd execve syscall: bash -i spawned by beyondtrust service process. Network connection record: beyondtrust process connecting outbound to LAB_ATTACKER_IP:4444 (non-standard port, external IP).
References (5)
Unlock Pro Content
Get the full detection package for CVE-2026-1731 including response playbook, investigation guide, and atomic red team tests.