Detection rules › Kusto Query Language
Detect .NET runtime being loaded in JScript for code execution
This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter. All based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204 User Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 7 | Image loaded |
| Defender-DeviceImageLoadEvents | 9006000 | Image load (any) |
Stages and Predicates
Stage 1: source
DeviceImageLoadEvents
Stage 2: where
FileName in ["mscoree.dll", "mscorlib.dll", "mscorlib.ni.dll"]
Stage 3: where
macro "(tolower(InitiatingProcessFileName) in (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\"))"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
FileName | in |
|