diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml
index c844648f0..1ba054f54 100644
--- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml
+++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml
@@ -14,10 +14,14 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentImage|endswith: '*\msbuild.exe'
-    condition: selection
-fields:
-    - ParentImage
+        DestinationPort:
+            - '80'
+            - '443'
+        Initiated: 'true'
+    filter:
+        Image|endswith:
+            - '*\msbuild.exe'
+    condition: selection and not filter 
 falsepositives:
     - unknown
 level: high