Detect NET runtime being loaded in JScript for code execution

DeviceImageLoadEvents 
| where FileName in~ ("mscoree.dll", "mscorlib.dll", "mscorlib.ni.dll") 
| where tolower(InitiatingProcessFileName) in ("wscript.exe", "cscript.exe", "mshta.exe")

query: |
  DeviceImageLoadEvents 
  | where FileName in~ ("mscoree.dll", "mscorlib.dll", "mscorlib.ni.dll") 
  | where tolower(InitiatingProcessFileName) in ("wscript.exe", "cscript.exe", "mshta.exe")  
entityMappings:
- fieldMappings:
  - identifier: Sid
    columnName: InitiatingProcessAccountSid
  - identifier: Name
    columnName: InitiatingProcessAccountName
  - identifier: NTDomain
    columnName: InitiatingProcessAccountDomain
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  entityType: Host
- fieldMappings:
  - identifier: CommandLine
    columnName: InitiatingProcessCommandLine
  entityType: Process
triggerOperator: gt
description: |
  This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter.
  All based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript.   
tactics:
- Execution
severity: Medium
queryFrequency: 1h
kind: Scheduled
name: Detect .NET runtime being loaded in JScript for code execution
triggerThreshold: 0
status: Available
id: 9f921513-65f3-48a2-ae7d-326c5901c55e
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceImageLoadEvents
relevantTechniques:
- T1204
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/DotNetToJScript.yaml
queryPeriod: 1h