diff --git a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml
index d5967a44e..d55f1e293 100644
--- a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml
+++ b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml
@@ -10,7 +10,7 @@ references:
     - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
 author: Tom Ueltschi (@c_APT_ure), Tim Shelton
 date: 2019/01/12
-modified: 2023/01/31
+modified: 2023/06/21
 tags:
     - attack.t1037.001
     - attack.persistence
@@ -36,6 +36,8 @@ detection:
             - 'C:\Windows\SysWOW64\proquota.exe'
     filter_optional_citrix:
         Image|endswith: '\Citrix\System32\icast.exe'
+    filter_optional_image_null:
+        Image: null
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly.