This detection rule targets potentially malicious activities involving the Microsoft Build Engine (msbuild.exe) when spawned by a scripting interpreter like CMD or PowerShell. Adversaries often exploit trusted developer tools to execute malicious payloads while evading detection mechanisms due to the legitimate signatures of these tools. This rule monitors instances where msbuild.exe is launched from processes that are typically used for scripting and command execution. The logic leverages Sysmon event data and matches specific parent-child process relationships to identify these suspicious executions, which may indicate an attempt to use msbuild as a vector for executing unwanted code. The rule employs regex matching to ensure contextually accurate identification and classification of processes involved in these activities.