Detect BeyondTrust Remote Support Pre-Auth Remote Code Execution in Microsoft Sentinel
CVE-2026-1731 is a critical (CVSS 9.8) pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA). By sending specially crafted requests, an unauthenticated remote attacker can execute operating system commands in the context of the web application site user. BeyondTrust Remote Support is widely deployed in enterprise and SMB environments for helpdesk and IT support operations, creating direct privileged access to end-user machines. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalogue, with active exploitation observed in the wild (GreyNoise confirmed reconnaissance scanning). A working proof-of-concept exploit is publicly available on GitHub. Successful exploitation provides attackers with a foothold in the support infrastructure, enabling lateral movement to all machines with active or historical BeyondTrust support sessions.
MITRE ATT&CK
- Tactic
- Initial Access Execution
KQL Detection Query
// CVE-2026-1731 — BeyondTrust Remote Support Pre-Auth RCE
// Detect exploitation attempts against BeyondTrust RS/PRA web interface
// via web server access logs, IDS alerts, and endpoint telemetry
let BeyondTrustPorts = dynamic([80, 443, 8080, 8443]);
let RCEIndicatorPaths = dynamic([
"/beyondtrust", "/support", "/remote", "/api/",
"/login", "/session", "/websocket"
]);
let SuspiciousUserAgents = dynamic([
"python-requests", "curl", "wget", "Go-http-client",
"Nuclei", "zgrab", "masscan"
]);
union CommonSecurityLog, W3CIISLog
| where TimeGenerated > ago(24h)
| where DestinationPort in (BeyondTrustPorts)
and (DeviceVendor has_any ("BeyondTrust", "Bomgar")
or RequestURL has_any ("/beyondtrust", "/remote", "/login")
or csUriStem has_any ("/beyondtrust", "/remote", "/login"))
| extend UserAgent = coalesce(RequestClientApplication, csUserAgent)
| where UserAgent has_any (SuspiciousUserAgents)
or Message has_any ("command injection", "os.system", "exec", "shell", "/bin/sh", "cmd.exe")
or (RequestMethod in ("POST", "PUT") and RequestURL has_any (RCEIndicatorPaths))
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort,
RequestURL, RequestMethod, UserAgent, Message, AdditionalExtensions
| extend ThreatIndicator = "CVE-2026-1731-BeyondTrust-PreAuthRCE"
| sort by TimeGenerated descDetects exploitation attempts against BeyondTrust Remote Support by monitoring web access logs and IDS alerts for suspicious requests to BeyondTrust endpoints from scanner user agents, command injection indicators in request bodies, and anomalous POST requests to BeyondTrust API paths. Also monitors endpoint security logs for command execution in the BeyondTrust web application context.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate vulnerability scanners or pen test tools probing BeyondTrust during authorised assessments
- BeyondTrust REST API clients with non-standard user agent strings
- Load balancer health checks against BeyondTrust web interface
Other platforms for CVE-2026-1731
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Send crafted POST request to BeyondTrust login endpoint
Expected signal: Web server access log: POST /login from attacker IP. Process creation: w3wp.exe or web daemon spawning cmd.exe or /bin/sh.
References (6)
- https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
- https://nvd.nist.gov/vuln/detail/CVE-2026-1731
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.greynoise.io/blog/reconnaissance-beyondtrust-rce-cve-2026-1731
- https://github.com/win3zz/CVE-2026-1731
- https://attack.mitre.org/techniques/T1190/
Unlock Pro Content
Get the full detection package for CVE-2026-1731 including response playbook, investigation guide, and atomic red team tests.