Detect NET runtime being loaded in JScript for code execution

DeviceImageLoadEvents 
| where FileName in~ ("mscoree.dll", "mscorlib.dll", "mscorlib.ni.dll") 
| where tolower(InitiatingProcessFileName) in ("wscript.exe", "cscript.exe", "mshta.exe")

name: Detect .NET runtime being loaded in JScript for code execution
kind: Scheduled
tactics:
- Execution
triggerThreshold: 0
triggerOperator: gt
version: 1.0.0
status: Available
queryFrequency: 1h
id: 9f921513-65f3-48a2-ae7d-326c5901c55e
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceImageLoadEvents
relevantTechniques:
- T1204
description: |
  This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter.
  All based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript.   
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: InitiatingProcessAccountSid
    identifier: Sid
  - columnName: InitiatingProcessAccountName
    identifier: Name
  - columnName: InitiatingProcessAccountDomain
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
- entityType: Process
  fieldMappings:
  - columnName: InitiatingProcessCommandLine
    identifier: CommandLine
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/DotNetToJScript.yaml
queryPeriod: 1h
severity: Medium
query: |
  DeviceImageLoadEvents 
  | where FileName in~ ("mscoree.dll", "mscorlib.dll", "mscorlib.ni.dll") 
  | where tolower(InitiatingProcessFileName) in ("wscript.exe", "cscript.exe", "mshta.exe")