these programs may be used by windows developers but use by non-engineers is unusual.

source: <a href=https://github.com/elastic/detection-rules/blob/main/rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml>elastic
technicques: T1127

Techniques

Identifies possibly suspicious activity using trusted Windows developer activity.

event.category:process and event.type:(start or process_started) and process.name:(MSBuild.exe or msxsl.exe)