diff --git a/rules/windows/network_connection/net_connection_win_susps_epmap.yml b/rules/windows/network_connection/net_connection_win_susps_epmap.yml
index f041ff56f..cb8eca222 100644
--- a/rules/windows/network_connection/net_connection_win_susps_epmap.yml
+++ b/rules/windows/network_connection/net_connection_win_susps_epmap.yml
@@ -4,8 +4,9 @@ status: experimental
 description: Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC)
 references:
     - https://github.com/RiccardoAncarani/TaskShell/
-author: frack113
+author: frack113, Tim Shelton (fps)
 date: 2022/07/14
+modified: 2022/07/18
 logsource:
     category: network_connection
     product: windows
@@ -16,10 +17,12 @@ detection:
         DestinationPort: 135
         #DestinationPortName: epmap
     filter:
-        Image|startswith: C:\Windows\
+        Image|startswith: 
+            - C:\Windows\
+            - C:\ProgramData\Amazon\SSM\Update\amazon-ssm-agent-updater
     condition: selection and not filter
 falsepositives:
     - Unknown
 level: high
 tags:
-    - attack.lateral_movement
\ No newline at end of file
+    - attack.lateral_movement