Detect NET runtime being loaded in JScript for code execution

Back


Id	9f921513-65f3-48a2-ae7d-326c5901c55e
Rulename	Detect .NET runtime being loaded in JScript for code execution
Description	This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter. All based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript.
Severity	Medium
Tactics	Execution
Techniques	T1204
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/DotNetToJScript.yaml
Version	1.0.0
Arm template	9f921513-65f3-48a2-ae7d-326c5901c55e.json

KQL

DeviceImageLoadEvents 
| where FileName in~ ("mscoree.dll", "mscorlib.dll", "mscorlib.ni.dll") 
| where tolower(InitiatingProcessFileName) in ("wscript.exe", "cscript.exe", "mshta.exe")

YAML

requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceImageLoadEvents
tactics:
- Execution
description: |
  This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter.
  All based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript.   
query: |
  DeviceImageLoadEvents 
  | where FileName in~ ("mscoree.dll", "mscorlib.dll", "mscorlib.ni.dll") 
  | where tolower(InitiatingProcessFileName) in ("wscript.exe", "cscript.exe", "mshta.exe")  
id: 9f921513-65f3-48a2-ae7d-326c5901c55e
triggerOperator: gt
relevantTechniques:
- T1204
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/DotNetToJScript.yaml
queryFrequency: 1h
severity: Medium
entityMappings:
- fieldMappings:
  - columnName: InitiatingProcessAccountSid
    identifier: Sid
  - columnName: InitiatingProcessAccountName
    identifier: Name
  - columnName: InitiatingProcessAccountDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: InitiatingProcessCommandLine
    identifier: CommandLine
  entityType: Process
name: Detect .NET runtime being loaded in JScript for code execution
queryPeriod: 1h
kind: Scheduled
triggerThreshold: 0
version: 1.0.0
status: Available

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9f921513-65f3-48a2-ae7d-326c5901c55e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9f921513-65f3-48a2-ae7d-326c5901c55e')]",
      "properties": {
        "alertRuleTemplateName": "9f921513-65f3-48a2-ae7d-326c5901c55e",
        "customDetails": null,
        "description": "This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter.\nAll based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript. \n",
        "displayName": "Detect .NET runtime being loaded in JScript for code execution",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "InitiatingProcessAccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "InitiatingProcessAccountName",
                "identifier": "Name"
              },
              {
                "columnName": "InitiatingProcessAccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "InitiatingProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/DotNetToJScript.yaml",
        "query": "DeviceImageLoadEvents \n| where FileName in~ (\"mscoree.dll\", \"mscorlib.dll\", \"mscorlib.ni.dll\") \n| where tolower(InitiatingProcessFileName) in (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}