This detection rule aims to identify potential command-line path traversal evasion attempts on Windows systems. It targets potentially malicious activities that involve the use of dot-dot-slash (../) sequences in command-line inputs to navigate directories, indicating an attempt to escape from the intended execution path. Two primary selection patterns are established: the first selection looks for the presence of Windows system directories in the command-line arguments while checking for traversal attempts upwards in the directory structure (like '..\Windows\' or '..\System32\'). The second selection seeks out patterns that also use further obfuscation via the command line, particularly a scenario where executables are executed with directory traversal. Filters are applied to exclude known benign usages from Google Drive and Citrix software, ensuring that false positives do not trigger alerts unduly. The rule is particularly useful for monitoring endpoint activities and can aid in strengthening defenses against script-based evasion techniques.