diff --git a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
index ab68f0b043f..4dad7b03855 100644
--- a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
+++ b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
@@ -14,7 +14,7 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentImage|endswith: '\msbuild.exe'
+        Image|endswith: '\msbuild.exe'
     filter:
         DestinationPort:
             - '80'