This detection rule identifies instances where Microsoft Build Engine (MSBuild.exe) is initiated by system processes such as Explorer or WMI. The rule is essential for detecting abnormal behaviors that may indicate an attack, as legitimate uses of MSBuild are typically by developers, not by system processes. The EQL (Event Query Language) query analyzes runtime processes to flag any launches of MSBuild.exe outside the standard development context, particularly by Explorer.exe or WMI processes, which may be leveraged for executing malicious code. The rule highlights risks associated with the misuse of trusted development tools for evading security measures and potentially launching unauthorized executions that could guide to broader system compromise. Investigation steps include examining process trees for parent-child relationships, reviewing command-line arguments, assessing user context, correlating with other security data, and validating against known false positives—in scenarios where legitimate software use might trigger false alarms. Mitigation steps involve immediate isolation and scanning of affected systems, while also stressing the need for enhanced monitoring against similar events in the future.