Detect Balbooa Forms Unrestricted File Upload Exploitation (CVE-2026-56291) in Microsoft Sentinel
Detects exploitation attempts against CVE-2026-56291, an unrestricted upload of file with dangerous type vulnerability (CWE-434) in Balbooa Forms for Joomla. This vulnerability is listed in CISA KEV, indicating confirmed active exploitation. Attackers abuse the forms file upload functionality to upload web shells or other malicious executable content (PHP, PHTML, PHAR, etc.) bypassing extension/type restrictions, leading to remote code execution on the underlying web server.
MITRE ATT&CK
- Tactic
- Initial Access Execution
KQL Detection Query
// Microsoft Sentinel - Detect Balbooa Forms webshell upload / RCE attempt (CVE-2026-56291)
let suspiciousExt = dynamic([".php",".phtml",".phar",".php5",".php7",".pht",".jsp",".asp",".aspx"]);
W3CIISLog
| where csUriStem has_any ("/components/com_balbooaforms", "/media/com_balbooaforms", "joomla") and cUriQuery has_any ("upload", "file")
| where csMethod == "POST"
| where cUriStem has_any (suspiciousExt)
| extend UploadedFile = extract(@"([^/\\]+\.(php\d?|phtml|phar|pht|jsp|asp|aspx))", 1, csUriStem)
| project TimeGenerated, cIP, csUriStem, csUserAgent, scStatus, UploadedFile
| union (
W3CIISLog
| where cUriStem has "com_balbooaforms" and csMethod == "POST" and scStatus in (200,201,302)
| project TimeGenerated, cIP, csUriStem, csUserAgent, scStatus, UploadedFile="unknown"
)
| sort by TimeGenerated desc Detects HTTP POST requests to Balbooa Forms Joomla component upload endpoints containing dangerous file extensions consistent with webshell upload exploitation of CVE-2026-56291.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate file uploads with similarly named but benign attachments (e.g. .php in a filename used decoratively)
- Internal QA/testing of the forms component uploading test files
- Misconfigured logging causing false extension matches from query strings
Other platforms for CVE-2026-56291
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate dangerous file extension upload POST request
Expected signal: Web server access log entry showing POST request to com_balbooaforms upload endpoint with filename test_shell.php and 200/201 status code.
- Test 2Upload double-extension bypass file (.phtml)
Expected signal: Web access log entry for POST request with mismatched Content-Type (image/jpeg) and .phtml extension in filename.
- Test 3Windows IIS-hosted Joomla upload simulation
Expected signal: W3CIISLog entry recording POST to com_balbooaforms endpoint with cs-uri-stem containing test_shell.aspx.
References (4)
Unlock Pro Content
Get the full detection package for CVE-2026-56291 including response playbook, investigation guide, and atomic red team tests.