Merge pull request #3245 from redsand/fp_epmap_from_amazon_ssm

False positive from amazon ssm agent updater connecting to local ip a…

rules/windows/network_connection/net_connection_win_susps_epmap.yml

@@ -4,8 +4,9 @@ status: experimental
 description: Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC)
 references:
     - https://github.com/RiccardoAncarani/TaskShell/
-author: frack113
+author: frack113, Tim Shelton (fps)
 date: 2022/07/14
+modified: 2022/07/18
 logsource:
     category: network_connection
     product: windows
@@ -16,10 +17,12 @@ detection:
         DestinationPort: 135
         #DestinationPortName: epmap
     filter:
-        Image|startswith: C:\Windows\
+        Image|startswith: 
+            - C:\Windows\
+            - C:\ProgramData\Amazon\SSM\Update\amazon-ssm-agent-updater
     condition: selection and not filter
 falsepositives:
     - Unknown
 level: high
 tags:
-    - attack.lateral_movement
+    - attack.lateral_movement