diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql
index 3a83f32..213523e 100644
--- a/detection/c2/unexpected-dns-traffic-events.sql
+++ b/detection/c2/unexpected-dns-traffic-events.sql
@@ -76,37 +76,38 @@ WHERE
 
   -- Exceptions that specifically talk to one server
   AND exception_key NOT IN (
-    'coredns,0.0.0.0,53',
-    'syncthing,46.162.192.181,53',
-    'Socket Process,8.8.8.8,53',
-    'com.docker.backend,8.8.8.8,53',
-    'ZoomPhone,8.8.8.8,53',
-    'ZoomPhone,200.48.225.130,53',
-    'gvproxy,170.247.170.2,53',
+    'AssetCacheLocatorService,0.0.0.0,53',
     'CapCut,8.8.8.8,53',
-    'ZaloCall,8.8.8.8,53',
-    'Telegram,8.8.8.8,53',
-    'com.docker.vpnkit,8.8.8.8,53',
-    'WebexHelper,8.8.8.8,53',
-    'Meeting Center,8.8.8.8,53',
-    'ServiceExtension,8.8.8.8,53',
-    'nuclei,1.0.0.1,53',
-    'distnoted,8.8.8.8,53',
-    'limactl,8.8.8.8,53',
-    'msedge,8.8.8.8,53',
-    'brave,8.8.8.8,53',
-    'adguard_dns,1.0.0.1,53',
-    'helm,185.199.108.133,53',
-    'coredns,8.8.8.8,53',
-    'signal-desktop,8.8.8.8,53',
-    'slack,8.8.8.8,53',
-    'zed,8.8.8.8,53',
     'EpicWebHelper,8.8.4.4,53',
     'EpicWebHelper,8.8.8.8,53',
+    'Meeting Center,8.8.8.8,53',
+    'ServiceExtension,8.8.8.8,53',
     'Signal Helper (Renderer),8.8.8.8,53',
-    'plugin-container,8.8.8.8,53',
+    'Socket Process,8.8.8.8,53',
+    'Telegram,8.8.8.8,53',
+    'WebexHelper,8.8.8.8,53',
     'WhatsApp,1.1.1.1,53',
-    'AssetCacheLocatorService,0.0.0.0,53'
+    'ZaloCall,8.8.8.8,53',
+    'ZoomPhone,200.48.225.130,53',
+    'ZoomPhone,8.8.8.8,53',
+    'adguard_dns,1.0.0.1,53',
+    'brave,8.8.8.8,53',
+    'cg,108.177.98.95,53',
+    'com.docker.backend,8.8.8.8,53',
+    'com.docker.vpnkit,8.8.8.8,53',
+    'coredns,0.0.0.0,53',
+    'coredns,8.8.8.8,53',
+    'distnoted,8.8.8.8,53',
+    'gvproxy,170.247.170.2,53',
+    'helm,185.199.108.133,53',
+    'limactl,8.8.8.8,53',
+    'msedge,8.8.8.8,53',
+    'nuclei,1.0.0.1,53',
+    'plugin-container,8.8.8.8,53',
+    'signal-desktop,8.8.8.8,53',
+    'slack,8.8.8.8,53',
+    'syncthing,46.162.192.181,53',
+    'zed,8.8.8.8,53'
   )
   -- Local DNS servers and custom clients go here
   AND basename NOT IN (
diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
index e5b5599..d63bffa 100644
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@@ -83,6 +83,7 @@ WHERE protocol > 0
   )
   AND NOT exception_key IN (
     '123,17,500,chronyd,0u,0g,chronyd',
+    '19305,6,500,msedge,0u,0g,msedge',
     '4070,6,500,spotify,u,g,spotify',
     '49152,6,500,ContinuityCaptureAgent,Software Signing',
     '587,6,500,perl,0u,0g,git-send-email',
diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
index 82a3ad6..6b8962e 100644
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@@ -103,7 +103,16 @@ WHERE pos.pid IN (
     AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main'
   )
   AND NOT (
-    unsigned_exception = '500,6,32768,gvproxy,gvproxy'
+    unsigned_exception IN (
+      '500,6,32768,gvproxy,gvproxy',
+      '500,17,123,gvproxy,gvproxy'
+    )
     AND p0.path LIKE '/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy'
   )
+  AND NOT (
+    unsigned_exception = '500,0,0,chainlink,chainlink'
+    AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/chainlink'
+    AND remote_port = 0
+    AND protocol = 0
+  )
 GROUP BY p0.cmdline
diff --git a/detection/credentials/macos_keyboard_sniffer.sql b/detection/credentials/macos_keyboard_sniffer.sql
index e784bd9..a5238ab 100644
--- a/detection/credentials/macos_keyboard_sniffer.sql
+++ b/detection/credentials/macos_keyboard_sniffer.sql
@@ -79,7 +79,8 @@ WHERE
     'polyrecorder,polyrecorder,Developer ID Application: Adam Pietrasiak (SXF593CX2N)',
     'skhd,skhd,',
     'LinearMouse,com.lujjjh.LinearMouse,Developer ID Application: Jiahao Lu (C5686NKYJ7)',
-    'synergy-core,synergy-core,Developer ID Application: Symless Ltd (4HX897Y6GJ)'
+    'synergy-core,synergy-core,Developer ID Application: Symless Ltd (4HX897Y6GJ)',
+    'deskflow-server,deskflow-server,'
   )
 GROUP BY
   p0.path
diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql
index 56cf8b1..f46736c 100644
--- a/detection/evasion/hidden-executable.sql
+++ b/detection/evasion/hidden-executable.sql
@@ -72,25 +72,26 @@ WHERE (
   AND NOT homepath LIKE '~/%x86_64%'
   AND NOT top3_dir LIKE '~/.%/extensions'
   AND NOT top2_dir IN (
+    '~/.cursor',
     '~/.dropbox-dist',
+    '~/.fzf',
     '~/.goenv',
     '~/.gradle/jdks',
+    '~/.krew',
     '~/.local',
     '~/.pnpm',
+    '~/.pulumi',
     '~/.rbenv',
     '~/.rustup',
-    '~/.pulumi',
-    '~/Code',
-    '~/code',
-    '~/.cursor',
-    '~/Projects',
-    '~/src',
     '~/.sdkman',
     '~/.supermaven',
     '~/.terraform',
     '~/.tflint.d',
     '~/.vs-kubernetes',
-    '~/.krew'
+    '~/Code',
+    '~/Projects',
+    '~/code',
+    '~/src'
   )
   AND NOT top3_dir IN (
     '~/.bin',
diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql
index f9077a6..bc3c55a 100644
--- a/detection/evasion/unexpected-hidden-system-paths.sql
+++ b/detection/evasion/unexpected-hidden-system-paths.sql
@@ -78,8 +78,10 @@ WHERE
     '/.mozilla/',
     '/tmp/.accounts-agent/',
     '/tmp/.audio-agent/',
-    -- Xcode; see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897
-    '/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82',
+    -- Xcode;
+    -- see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897
+    -- and https://github.com/fyne-io/fyne-cross/issues/187#issuecomment-1666606946
+    '/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F',
     '/tmp/.bazelci/',
     '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
     '/tmp/.content-agent/',
diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql
index 9964959..c91bbcf 100644
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@@ -111,6 +111,7 @@ WHERE
     '~/Applications (Parallels)/',
     '~/bin/',
     '~/.cargo/',
+    '~/chainguard_repos/',
     '~/code/',
     '~/Code/',
     '~/.config/',
diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql
index b3e9d0b..5927884 100644
--- a/detection/execution/unexpected-long-running-security-framework-macos.sql
+++ b/detection/execution/unexpected-long-running-security-framework-macos.sql
@@ -86,11 +86,12 @@ WHERE -- Focus on longer-running programs
   AND exception_key NOT IN (
     '0,velociraptor,a.out,',
     '500,cloud_sql_proxy,a.out,',
-    '500,sdzoomplugin,,',
-    '500,sdaudioswitch,,',
+    '500,docker,docker,',
     '500,gopls,a.out,',
+    '500,sdaudioswitch,,',
+    '500,sdaudioswitch,sdaudioswitch,',
     '500,sdmicmute,sdmicmute,',
-    '500,sdaudioswitch,sdaudioswitch,'
+    '500,sdzoomplugin,,'
   )
   AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%'
   AND NOT exception_key LIKE '500,___Test%.test,a.out'
diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql
index a1dc166..225e93e 100644
--- a/detection/initial_access/unexpected-diskimage-source-macos.sql
+++ b/detection/initial_access/unexpected-diskimage-source-macos.sql
@@ -183,6 +183,7 @@ WHERE
     'cron.com',
     'discord.com',
     'dl.discordapp.net',
+    'dl2.discordapp.net',
     'dl.google.com',
     'duckduckgo.com',
     'dygma.com',
@@ -213,6 +214,7 @@ WHERE
     'obsidian.md',
     'obsproject.com',
     'opalcamera.com',
+    'openai.com',
     'persistent.oaistatic.com',
     'portswigger-cdn.net',
     'posit.co',
diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql
index 26d19f1..042e112 100644
--- a/detection/persistence/unexpected-listening-port-linux.sql
+++ b/detection/persistence/unexpected-listening-port-linux.sql
@@ -175,6 +175,7 @@ WHERE
     '8009,6,0,java',
     '80,6,0,docker-proxy',
     '80,6,101,nginx',
+    '80,6,0,apache2',
     '80,6,33,apache2',
     '80,6,60,nginx',
     '8080,6,0,coredns',
diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql
index 7401ab1..9d5c80a 100644
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@@ -313,6 +313,7 @@ WHERE
     'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755',
     'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755',
     'tuned,/usr/bin/python3.12,0,system.slice,tuned.service,0755',
+    'ubuntu-advantag,/usr/libexec/ubuntu-advantage-desktop-daemon,0,system.slice,ubuntu-advantage-desktop-daemon.service,0755',
     'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555',
     'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755',
     'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755',