{
	"id": "f4ff0dbe-f9df-47b6-99c2-eb2de4088060",
	"created_at": "2026-04-06T00:12:15.594869Z",
	"updated_at": "2026-04-10T03:22:12.121328Z",
	"deleted_at": null,
	"sha1_hash": "80ba2d4d450bcee4632ab34e7e412e6957c02e81",
	"title": "Modification of Environment Variable via Launchctl | Elastic Security [7.17]",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49012,
	"plain_text": "Modification of Environment Variable via Launchctl | Elastic\r\nSecurity [7.17]\r\nArchived: 2026-04-05 17:20:05 UTC\r\nModification of Environment Variable via Launchctl\r\nedit\r\nIdentifies modifications to an environment variable using the built-in launchctl command. Adversaries may\r\nexecute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or\r\nbypass certain restrictions.\r\nRule type: query\r\nRule indices:\r\nauditbeat-*\r\nlogs-endpoint.events.*\r\nSeverity: medium\r\nRisk score: 47\r\nRuns every: 5m\r\nSearches indices from: now-9m (Date Math format, see also Additional look-back time )\r\nMaximum alerts per execution: 100\r\nReferences:\r\nhttps://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb\r\nTags:\r\nElastic\r\nHost\r\nmacOS\r\nThreat Detection\r\nDefense Evasion\r\nVersion: 5\r\nRule authors:\r\nhttps://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html\r\nPage 1 of 2\n\nElastic\r\nRule license: Elastic License v2\r\nevent.category:process and event.type:start and\r\n process.name:launchctl and\r\n process.args:(setenv and not (JAVA*_HOME or\r\n RUNTIME_JAVA_HOME or\r\n DBUS_LAUNCHD_SESSION_BUS_SOCKET or\r\n ANT_HOME or\r\n LG_WEBOS_TV_SDK_HOME or\r\n WEBOS_CLI_TV or\r\n EDEN_ENV)\r\n ) and\r\n not process.parent.executable:(\"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" o\r\n \"/usr/local/bin/kr\" or\r\n \"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" o\r\n \"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/j\r\n not process.args : \"*.vmoptions\"\r\nFramework: MITRE ATT\u0026CKTM\r\nTactic:\r\nName: Defense Evasion\r\nID: TA0005\r\nReference URL: https://attack.mitre.org/tactics/TA0005/\r\nTechnique:\r\nName: Hijack Execution Flow\r\nID: T1574\r\nReference URL: https://attack.mitre.org/techniques/T1574/\r\nSub-technique:\r\nName: Path Interception by PATH Environment Variable\r\nID: T1574.007\r\nReference URL: https://attack.mitre.org/techniques/T1574/007/\r\nSource: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html\r\nhttps://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html"
	],
	"report_names": [
		"prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434335,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80ba2d4d450bcee4632ab34e7e412e6957c02e81.pdf",
		"text": "https://archive.orkl.eu/80ba2d4d450bcee4632ab34e7e412e6957c02e81.txt",
		"img": "https://archive.orkl.eu/80ba2d4d450bcee4632ab34e7e412e6957c02e81.jpg"
	}
}