This rule detects the use of Microsoft Build Engine (MSBuild) to perform process injection by monitoring for instances where an MSBuild process creates a remote thread in another process, which is a common evasion tactic employed by attackers. This technique allows malicious actors to execute code within the context of trusted processes, making detection more difficult while also providing opportunities to escalate privileges. The rule is implemented using EQL (Event Query Language) and targets log entries from Winlogbeat and Sysmon data streams to identify suspicious thread creation activities associated with MSBuild. Users are advised that while MSBuild is a legitimate tool in development environments, its misuse by non-development personnel can signal an attack, hence an appropriate response protocol is included.