diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml
index a609cec0d..72c24271d 100644
--- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml
+++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml
@@ -17,18 +17,19 @@ detection:
         # Sysmon: File Creation (ID 11)
         EventID: 11
         #.NET webshells
-        TargetFilename: '*\inetpub\wwwroot\*.asp'
-        TargetFilename: '*\inetpub\wwwroot\*.aspx'
-        TargetFilename: '*\inetpub\wwwroot\*.ashx'
-        #php webshells
-        TargetFilename: '*\inetpub\wwwroot\*.ph*'
-        TargetFilename: '*\www\*.ph*'
-        TargetFilename: '*\htdocs\*.ph*'
-        TargetFilename: '*\html\*.ph*'
-        #apache tomcap webshell
-        TargetFilename: '*\*.jsp*'
-        #cgi-bin perl webshell
-        TargetFilename: '*\cgi-bin\*.pl'
+        TargetFilename: 
+            - '*\inetpub\wwwroot\*.asp'
+            - '*\inetpub\wwwroot\*.aspx'
+            - '*\inetpub\wwwroot\*.ashx'
+            #php webshells
+            - '*\inetpub\wwwroot\*.ph*'
+            - '*\www\*.ph*'
+            - '*\htdocs\*.ph*'
+            - '*\html\*.ph*'
+            #apache tomcap webshell
+            - '*\*.jsp*'
+            #cgi-bin perl webshell
+            - '*\cgi-bin\*.pl'
     condition: selection
 falsepositives:
     - Unknown