diff --git a/rules/web/web_citrix_cve_2019_19781_exploit.yml b/rules/web/web_citrix_cve_2019_19781_exploit.yml
index 2d63d3fe..8f4cc5d0 100644
--- a/rules/web/web_citrix_cve_2019_19781_exploit.yml
+++ b/rules/web/web_citrix_cve_2019_19781_exploit.yml
@@ -6,21 +6,20 @@ references:
     - https://support.citrix.com/article/CTX267027
     - https://isc.sans.edu/diary/25686
     - https://twitter.com/mpgn_x64/status/1216787131210829826
+    - https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md
 author: Arnim Rupp, Florian Roth
 status: experimental
 date: 2020/01/02
-modified: 2020/01/13
+modified: 2020/01/15
 logsource:
     category: webserver
-    description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt)'
+    description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
 detection:
     selection:
         c-uri-path: 
             - '*/../vpns/*'
             - '*/vpns/cfg/smb.conf'
-            - '*/vpns/portal/scripts/newbm.pl*'
-            - '*/vpns/portal/scripts/rmbm.pl*'
-            - '*/vpns/portal/scripts/picktheme.pl*'
+            - '*/vpns/portal/scripts/*.pl*'
     condition: selection
 fields:
     - client_ip