diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml
index 053efdd88..8022026de 100644
--- a/rules/macos/defense_evasion_modify_environment_launchctl.toml
+++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/14"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/09"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,18 @@ type = "query"
 query = '''
 event.category:process and event.type:start and
   process.name:launchctl and
-  process.args:(setenv and not (JAVA*_HOME or RUNTIME_JAVA_HOME or DBUS_LAUNCHD_SESSION_BUS_SOCKET or ANT_HOME))
+  process.args:(setenv and not (JAVA*_HOME or
+                                RUNTIME_JAVA_HOME or
+                                DBUS_LAUNCHD_SESSION_BUS_SOCKET or
+                                ANT_HOME or
+                                LG_WEBOS_TV_SDK_HOME or
+                                WEBOS_CLI_TV or
+                                EDEN_ENV)
+                ) and
+  not process.parent.executable:("/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or
+                                 "/usr/local/bin/kr" or
+                                 "/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or
+                                 "/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper")
 '''