From fda2ca4308d826ec7ee20df3b41e2cdf37330ab2 Mon Sep 17 00:00:00 2001
From: Veramine <jness@veramine.com>
Date: Tue, 20 Sep 2022 17:20:19 -0700
Subject: [PATCH] Update
 proc_creation_win_commandline_path_traversal_evasion.yml

Fix FP with Citrix launcher
---
 .../proc_creation_win_commandline_path_traversal_evasion.yml  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml
index 0c13c80cc..e63542221 100644
--- a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml
+++ b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml
@@ -24,8 +24,10 @@ detection:
     selection2:
         CommandLine|contains: '.exe\..\'
     filter:
-        CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\'
+        - CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\'
+        - CommandLine|contains: '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\'
     condition: 1 of selection* and not filter
 falsepositives:
     - Google Drive
+    - Citrix
 level: high