diff --git a/detection/execution/exotic-commands-macos.sql b/detection/execution/exotic-commands-macos.sql
index 2dcff13..abacbc2 100644
--- a/detection/execution/exotic-commands-macos.sql
+++ b/detection/execution/exotic-commands-macos.sql
@@ -74,7 +74,7 @@ WHERE
       OR REGEX_MATCH (p.name, "(pwn|xig|xmr)", 1) != "" -- malicious processes
       OR REGEX_MATCH (
         p.cmdline,
-        "(sshd|bitspin|lushput|incbit|traitor|msfvenom|urllib.urlopen|nohup.*tmp|chrome.*--load-extension|tail -f /dev/null|)",
+        "(bitspin|lushput|incbit|traitor|msfvenom|urllib.urlopen|nohup.*tmp|chrome.*--load-extension|tail -f /dev/null|)",
         1
       ) != "" -- suspicious things
       OR REGEX_MATCH (
diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql
index c061694..1cb5bcd 100644
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@@ -189,7 +189,7 @@ WHERE
     'Software Signing'
   ) -- Locally built executables
   AND NOT (
-    signature.identifier = "a.out"
+    s.identifier = "a.out"
     AND homedir LIKE '~/%'
-    AND pp.name LIKE '%sh'
+    AND p1.name LIKE '%sh'
   )