The detection rule identifies when the Microsoft Build Engine (MSBuild) is started by script interpreters, such as command prompts or PowerShell. This behavior is atypical and could indicate potential misuse for executing adversarial operations, signaling a need for investigation. The MSBuild tool is primarily used by developers to build applications, and its invocation through unconventional means can point to malicious activity. The rule utilizes specific keywords in the query, filtering for event categories related to process starting on Windows systems. A risk score of 21 indicates a low level of criticality, yet the unusual use of MSBuild warrants attention. The setup instructions note the necessity of an ingest pipeline for optimal functionality on specific versions of the Elastic Stack. The response framework encourages isolating affected systems, terminating suspicious processes, and conducting thorough investigations to mitigate risks. Moreover, the rule outlines potential false positives arising from standard development practices and suggests tailored investigations to discern legitimate from suspicious activities.