From dd1214627abc3ef59378ba77d568c0e04cac5fa2 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Fri, 19 Mar 2021 10:20:04 +0100
Subject: [PATCH] [Rule Tuning] Modification of Environment Variable via
 Launchctl (#1010)

* [Rule Tuning] Modification of Environment Variable via Launchctl

* update date
---
 ...ense_evasion_modify_environment_launchctl.toml | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml
index 053efdd88..8022026de 100644
--- a/rules/macos/defense_evasion_modify_environment_launchctl.toml
+++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/14"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/09"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,18 @@ type = "query"
 query = '''
 event.category:process and event.type:start and
   process.name:launchctl and
-  process.args:(setenv and not (JAVA*_HOME or RUNTIME_JAVA_HOME or DBUS_LAUNCHD_SESSION_BUS_SOCKET or ANT_HOME))
+  process.args:(setenv and not (JAVA*_HOME or
+                                RUNTIME_JAVA_HOME or
+                                DBUS_LAUNCHD_SESSION_BUS_SOCKET or
+                                ANT_HOME or
+                                LG_WEBOS_TV_SDK_HOME or
+                                WEBOS_CLI_TV or
+                                EDEN_ENV)
+                ) and
+  not process.parent.executable:("/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or
+                                 "/usr/local/bin/kr" or
+                                 "/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or
+                                 "/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper")
 '''