From e56dab0016094d91b1172bc6177ca35c15bde513 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Fri, 17 Jun 2022 16:33:47 +0000
Subject: [PATCH] False positive: ignore amazon ssm agent setup

---
 .../proc_access_win_direct_syscall_ntopenprocess.yml         | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
index 41ad52be8..219ef24db 100755
--- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
+++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
@@ -6,7 +6,7 @@ references:
 status: experimental
 author: Christian Burkard, Tim Shelton
 date: 2021/07/28
-modified: 2022/05/15
+modified: 2022/06/17
 logsource:
     category: process_access
     product: windows
@@ -25,6 +25,9 @@ detection:
     falsepositive4:
         TargetImage: 'C:\Windows\system32\systeminfo.exe'
         SourceImage|endswith: 'setup64.exe' #vmware
+    falsepositive5:
+        TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
+        SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
     condition: selection and not 1 of falsepositive*
 falsepositives:
     - Unknown