diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
index ae64441..59ecb7c 100644
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@@ -233,6 +233,7 @@ WHERE
     '443,6,500,sublime_text,com.sublimetext.4,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
     '443,6,500,syft,syft,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
     '443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
+    '443,17,500,Evernote Helper,,',
     '443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
     '443,6,500,trivy,a.out,',
     '443,6,500,vegeta,a.out,',
diff --git a/detection/evasion/empty_environ_macos.sql b/detection/evasion/empty_environ_macos.sql
index d938576..97f4fac 100644
--- a/detection/evasion/empty_environ_macos.sql
+++ b/detection/evasion/empty_environ_macos.sql
@@ -32,8 +32,7 @@ FROM processes p
   LEFT JOIN hash ON p.path = hash.path
   LEFT JOIN signature ON p.path = signature.path
 WHERE -- This time should match the interval
-  p.start_time > (strftime('%s', 'now') - 605)
-  -- Filter out transient processes that may not have an envs entry by the time we poll for it
+  p.start_time > (strftime('%s', 'now') - 605) -- Filter out transient processes that may not have an envs entry by the time we poll for it
   AND p.start_time < (strftime('%s', 'now') - 5)
   AND p.path NOT LIKE '/System/Library/%'
   AND NOT (
@@ -41,13 +40,23 @@ WHERE -- This time should match the interval
     AND signature.authority = 'Software Signing'
   )
   AND NOT exception_key IN (
+    '500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Google LLC (EQHXZ8M8AV)',
     '500,com.docker.cli,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)',
     '500,CraftWidgetExtension,com.lukilabs.lukiapp.CraftWidget,Apple Mac OS Application Signing',
     '500,Pages,com.apple.iWork.Pages,Apple Mac OS Application Signing',
+    '500,Obsidian Helper (Renderer),md.obsidian.helper.Renderer,Developer ID Application: Dynalist Inc. (6JSW4SJWN9)',
     '500,SafariLaunchAgent,SafariLaunchAgent-55554944882a849c6a6839b4b0e7c551bbc81898,Software Signing'
   )
   AND NOT exception_key LIKE '500,Google Chrome%,Developer ID Application: Google LLC (EQHXZ8M8AV)'
   AND NOT exception_key LIKE '500,Brave Browser %,com.brave.Browser.%,Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)'
 
+  -- Electron apps
+  AND NOT (
+    p.path LIKE '/Applications/%Helper%'
+    AND (
+      exception_key LIKE '500,%Helper%,Renderer,Developer ID Application: % (%)'
+      OR exception_key LIKE '500,%Helper%,helper,Developer ID Application: % (%)'
+    )
+  )
 GROUP BY p.pid
 HAVING count == 0;
\ No newline at end of file