From cefb84ae15f7db9f1ca98fca5df93b9f27a22683 Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Fri, 22 Jul 2022 16:03:46 -0400
Subject: [PATCH] [Rule Tuning] Modification of Environment Variable via
 Launchctl (#2119)

* add exception for vmoptions
---
 .../macos/defense_evasion_modify_environment_launchctl.toml  | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml
index 8022026de..52ec9d8ba 100644
--- a/rules/macos/defense_evasion_modify_environment_launchctl.toml
+++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/14"
 maturity = "production"
-updated_date = "2021/03/09"
+updated_date = "2022/07/18"
 
 [rule]
 author = ["Elastic"]
@@ -39,7 +39,8 @@ event.category:process and event.type:start and
   not process.parent.executable:("/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or
                                  "/usr/local/bin/kr" or
                                  "/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or
-                                 "/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper")
+                                 "/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper") and
+  not process.args : "*.vmoptions"
 '''