diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml
new file mode 100644
index 000000000..9f11649fa
--- /dev/null
+++ b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml
@@ -0,0 +1,31 @@
+title: Suspicious PrinterPorts Creation (CVE-2020-1048)
+id: cc08d590-8b90-413a-aff6-31d1a99678d7
+status: experimental
+description: Detects new commands that add new printer port which point to suspicious file
+author: EagleEye Team, Florian Roth
+date: 2020/05/13
+modified: 2020/05/23
+references:
+    - https://windows-internals.com/printdemon-cve-2020-1048/
+tags:
+    - attack.persistence
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains: 
+            - 'Add-PrinterPort -Name'
+    selection2:
+        CommandLine|contains: 
+            - '.exe'
+            - '.dll'
+            - '.bat'
+    selection3:
+        CommandLine|contains:
+            - 'Generic / Text Only'
+    condition: ( selection1 and selection2 ) or selection3
+falsepositives:
+    - New printer port install on host
+level: high
diff --git a/rules/windows/sysmon/sysmon_cve-2020-1048.yml b/rules/windows/sysmon/sysmon_cve-2020-1048.yml
index 491590211..866b77756 100644
--- a/rules/windows/sysmon/sysmon_cve-2020-1048.yml
+++ b/rules/windows/sysmon/sysmon_cve-2020-1048.yml
@@ -1,20 +1,15 @@
-action: global
-title: Suspicious PrinterPorts Created (CVE-2020-1048)
+title: Suspicious New Printer Ports in Registry (CVE-2020-1048)
 id: 7ec912f2-5175-4868-b811-ec13ad0f8567
 status: experimental
-description: Detects new registry printer port was created or powershell command add new printer port which point to suspicious file
+description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048
 author: EagleEye Team, Florian Roth
 date: 2020/05/13
-modified: 2020/05/15
+modified: 2020/05/23
 references:
     - https://windows-internals.com/printdemon-cve-2020-1048/
 tags:
     - attack.persistence
     - attack.execution
-falsepositives:
-    - New printer port install on host
-level: high
----
 logsource:
     service: sysmon
     product: windows
@@ -31,18 +26,9 @@ detection:
         TargetObject|contains:
             - '.dll'
             - '.exe'
+            - '.bat'
             - 'C:'
     condition: selection
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection1:
-        CommandLine|contains: 'Add-PrinterPort -Name'
-    selection2:
-        CommandLine|contains:
-            - '.dll'
-            - '.exe'
-    condition: selection1 and selection2
-
+falsepositives:
+    - New printer port install on host
+level: high
\ No newline at end of file