diff --git a/detection/initial_access/sketchy-mounted-diskimage.sql b/detection/initial_access/sketchy-mounted-diskimage.sql
index 94d7f1f..b7ee44c 100644
--- a/detection/initial_access/sketchy-mounted-diskimage.sql
+++ b/detection/initial_access/sketchy-mounted-diskimage.sql
@@ -118,6 +118,7 @@ WHERE
       AND f != '/Volumes/brotherwdswML_nonPanel/MacResources'
       AND file.filename NOT LIKE '%.previous'
       AND file.filename NOT LIKE '%.interrupted'
+      AND signature.authority != 'Developer ID Application: Google LLC (EQHXZ8M8AV)'
       AND file.filename NOT LIKE '%.backup'
     ) --   7. Volumes containing a top-level symlink to something other than /Applications, such as yWnBJLaF (1302.app)
     OR (
diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql
index 248f545..72df7a4 100644
--- a/detection/initial_access/unexpected-shell-parents.sql
+++ b/detection/initial_access/unexpected-shell-parents.sql
@@ -143,6 +143,7 @@ WHERE
     'xargs',
     'xcrun',
     'xfce4-terminal',
+    'xfce4-session',
     'yum',
     'zellij',
     'zsh'