diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
index d7693d1b..217b73a4 100644
--- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml
+++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
@@ -20,9 +20,9 @@ detection:
     selection1:
         EventID: 4738
     filter1:
-        AllowedToDelegateTo: null
-    filter2:
-        AllowedToDelegateTo: '-'
+        AllowedToDelegateTo: 
+            - null
+            - '-'
     selection2:
         EventID: 5136
         AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'