This detection rule identifies potentially malicious use of MSBuild.exe initiated by Windows Script Host processes (cscript.exe or wscript.exe). Such behavior is frequently observed during malicious activities where scripts are employed to execute harmful code. The analytic utilizes telemetry from Endpoint Detection and Response (EDR) systems, particularly focusing on process creation events where MSBuild is spawned as a child process of script hosts. These events are critical as they can signify unauthorized and potentially harmful actions being performed on the host, risking compromise and further exploitation by threats.