diff --git a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml
index 0c13c80cc..e63542221 100644
--- a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml
+++ b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml
@@ -24,8 +24,10 @@ detection:
     selection2:
         CommandLine|contains: '.exe\..\'
     filter:
-        CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\'
+        - CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\'
+        - CommandLine|contains: '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\'
     condition: 1 of selection* and not filter
 falsepositives:
     - Google Drive
+    - Citrix
 level: high