diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/sysmon/sysmon_ads_executable.yml
index 2231ee99..7e111015 100644
--- a/rules/windows/sysmon/sysmon_ads_executable.yml
+++ b/rules/windows/sysmon/sysmon_ads_executable.yml
@@ -18,7 +18,9 @@ detection:
     selection:
         EventID: 15
     filter:
-        Imphash: '00000000000000000000000000000000'
+        Imphash: 
+            - '00000000000000000000000000000000'
+            - null
     condition: selection and not filter
 fields:
     - TargetFilename
diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
index aab980bc..1e99dc4f 100644
--- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
+++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
@@ -24,7 +24,9 @@ detection:
     exec_exclusion1:
         Image: '*\explorer.exe'
     exec_exclusion2:
-        CommandLine: '*\netlogon.bat'
+        CommandLine: 
+            - '*\netlogon.bat'
+            - '*\UsrLogon.cmd'
     condition: exec_selection and not exec_exclusion1 and not exec_exclusion2
 ---
 logsource: