From d7e9a87feb97ef76e0b42b8f6613c0133d85e281 Mon Sep 17 00:00:00 2001
From: "S.kiran kumar" <KIRAN_HIFI@YAHOO.COM>
Date: Mon, 26 Oct 2020 12:10:46 +0530
Subject: [PATCH] Update silenttrinity_stager_msbuild_activity.yml

---
 .../sysmon/silenttrinity_stager_msbuild_activity.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml
index c844648f0..1ba054f54 100644
--- a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml
+++ b/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml
@@ -14,10 +14,14 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentImage|endswith: '*\msbuild.exe'
-    condition: selection
-fields:
-    - ParentImage
+        DestinationPort:
+            - '80'
+            - '443'
+        Initiated: 'true'
+    filter:
+        Image|endswith:
+            - '*\msbuild.exe'
+    condition: selection and not filter 
 falsepositives:
     - unknown
 level: high