diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml
index 308474475..b2e42f372 100644
--- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml
+++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml
@@ -17,7 +17,7 @@ logsource:
 detection:
     selection:
         EventID: 3
-        ParentImage|endswith: '\msbuild.exe'
+        ParentImage|endswith: 'msbuild.exe'
     condition: selection
 fields:
     - ParentImage