diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/sysmon/sysmon_ads_executable.yml
index 7e111015c..dbb055ad0 100644
--- a/rules/windows/sysmon/sysmon_ads_executable.yml
+++ b/rules/windows/sysmon/sysmon_ads_executable.yml
@@ -17,11 +17,11 @@ logsource:
 detection:
     selection:
         EventID: 15
-    filter:
-        Imphash: 
-            - '00000000000000000000000000000000'
-            - null
-    condition: selection and not filter
+    filter1:
+        Imphash: '00000000000000000000000000000000'
+    filter2:
+        Imphash: null
+    condition: selection and not 1 of filter*
 fields:
     - TargetFilename
     - Image