diff --git a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml
index 8727efafa..9f11649fa 100644
--- a/rules/windows/process_creation/win_exploit_cve_2020_1048.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2020_1048.yml
@@ -15,17 +15,17 @@ logsource:
     product: windows
 detection:
     selection1:
-        CommandLine|contains|all: 
+        CommandLine|contains: 
             - 'Add-PrinterPort -Name'
-            - '.dll'
     selection2:
-        CommandLine|contains|all: 
-            - 'Add-PrinterPort -Name'
+        CommandLine|contains: 
             - '.exe'
+            - '.dll'
+            - '.bat'
     selection3:
         CommandLine|contains:
             - 'Generic / Text Only'
-    condition: 1 of them
+    condition: ( selection1 and selection2 ) or selection3
 falsepositives:
     - New printer port install on host
 level: high
diff --git a/rules/windows/sysmon/sysmon_cve-2020-1048.yml b/rules/windows/sysmon/sysmon_cve-2020-1048.yml
index d270a4f5d..866b77756 100644
--- a/rules/windows/sysmon/sysmon_cve-2020-1048.yml
+++ b/rules/windows/sysmon/sysmon_cve-2020-1048.yml
@@ -26,6 +26,7 @@ detection:
         TargetObject|contains:
             - '.dll'
             - '.exe'
+            - '.bat'
             - 'C:'
     condition: selection
 falsepositives: