Detect NET runtime being loaded in JScript for code execution

DeviceImageLoadEvents 
| where FileName in~ ("mscoree.dll", "mscorlib.dll", "mscorlib.ni.dll") 
| where tolower(InitiatingProcessFileName) in ("wscript.exe", "cscript.exe", "mshta.exe")

description: |
  This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter.
  All based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript.   
kind: Scheduled
tactics:
- Execution
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceImageLoadEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/DotNetToJScript.yaml
severity: Medium
name: Detect .NET runtime being loaded in JScript for code execution
triggerThreshold: 0
queryPeriod: 1h
query: |
  DeviceImageLoadEvents 
  | where FileName in~ ("mscoree.dll", "mscorlib.dll", "mscorlib.ni.dll") 
  | where tolower(InitiatingProcessFileName) in ("wscript.exe", "cscript.exe", "mshta.exe")  
relevantTechniques:
- T1204
id: 9f921513-65f3-48a2-ae7d-326c5901c55e
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: InitiatingProcessAccountSid
    identifier: Sid
  - columnName: InitiatingProcessAccountName
    identifier: Name
  - columnName: InitiatingProcessAccountDomain
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
- entityType: Process
  fieldMappings:
  - columnName: InitiatingProcessCommandLine
    identifier: CommandLine