diff --git a/rules/windows/network_connection/net_connection_win_susp_epmap.yml b/rules/windows/network_connection/net_connection_win_susp_epmap.yml
index 2a0164d7485..98516b0abc2 100644
--- a/rules/windows/network_connection/net_connection_win_susp_epmap.yml
+++ b/rules/windows/network_connection/net_connection_win_susp_epmap.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/RiccardoAncarani/TaskShell/
 author: frack113, Tim Shelton (fps)
 date: 2022/07/14
-modified: 2022/07/18
+modified: 2023/09/01
 tags:
     - attack.lateral_movement
 logsource:
@@ -18,11 +18,15 @@ detection:
         Initiated: 'true'
         DestinationPort: 135
         #DestinationPortName: epmap
-    filter:
+    filter_image:
         Image|startswith:
             - C:\Windows\
             - C:\ProgramData\Amazon\SSM\Update\amazon-ssm-agent-updater
-    condition: selection and not filter
+    filter_image_null1:
+        Image: null
+    filter_image_null2:
+        Image: ''
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
 level: high