Detect BeyondTrust Remote Support Pre-Auth RCE (CVE-2026-1731) in Sumo Logic CSE
Detects exploitation of CVE-2026-1731, a pre-authentication remote code execution vulnerability (CWE-78, OS command injection) in BeyondTrust Remote Support and Privileged Remote Access. CVSS 9.8. Actively exploited in the wild (CISA KEV). Attackers can execute arbitrary OS commands without authentication via crafted HTTP requests to the appliance web interface.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=beyondtrust* OR _sourceCategory=windows/security OR _sourceCategory=iis/access OR _sourceCategory=network/firewall
| parse regex field=_raw "(?<parent_proc>bomgar[^\s]*|beyondtrust[^\s]*|remote_support[^\s]*|rs_app[^\s]*)" nodrop
| parse regex field=_raw "(?<child_proc>cmd\.exe|powershell\.exe|/bin/sh|/bin/bash|python3?|wget|curl|ncat?|whoami|\bid\b)" nodrop
| parse regex field=_raw "(?<http_ua>python-requests[^\s]*|curl/[^\s]*|Go-http-client[^\s]*|exploit[^\s]*|CVE-2026-1731[^\s]*)" nodrop
| parse regex field=_raw "(?<inject_cmd>;id;|;whoami;|\$\(id\)|\$\(whoami\)|os\.system|shell_exec|exec\()" nodrop
| where (
(parent_proc != "" and child_proc != "")
or (http_ua != "")
or (inject_cmd != "")
)
| eval detection_type = if(parent_proc != "" and child_proc != "", "SuspiciousChildProcess",
if(http_ua != "", "ExploitUserAgent", "CommandInjectionPayload"))
| count by _sourceHost, detection_type, parent_proc, child_proc, http_ua, inject_cmd
| sort by _count descSumo Logic query aggregating BeyondTrust appliance logs, Windows security events, IIS logs, and network logs to detect CVE-2026-1731 exploitation via child process anomalies, exploit HTTP user-agents, and command injection payloads.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate DevOps pipelines using curl or python-requests to call BeyondTrust REST APIs
- Scheduled BeyondTrust maintenance scripts that invoke system utilities
- Security monitoring agents that use standard HTTP libraries and POST to appliance endpoints
Other platforms for CVE-2026-1731
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-1731 PoC HTTP Request Simulation
Expected signal: IIS/nginx access log entry: POST /api/unauthenticated/session with user-agent 'CVE-2026-1731-PoC-Test' and POST body containing ';id;whoami;'. WAF should log or block the request.
- Test 2BeyondTrust Service Account Spawning Shell (Simulated Post-Exploitation)
Expected signal: Windows Security Event 4688: new process cmd.exe with parent process belonging to BeyondTrust service account (btrs_service). Process command line contains whoami, hostname, ipconfig, net user.
- Test 3BeyondTrust Process Outbound Reverse Shell Simulation
Expected signal: Linux auditd execve syscall: bash -i spawned by beyondtrust service process. Network connection record: beyondtrust process connecting outbound to LAB_ATTACKER_IP:4444 (non-standard port, external IP).
References (5)
Unlock Pro Content
Get the full detection package for CVE-2026-1731 including response playbook, investigation guide, and atomic red team tests.