diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql
index 23d989f..5751f7e 100644
--- a/detection/c2/unexpected-https-macos.sql
+++ b/detection/c2/unexpected-https-macos.sql
@@ -156,6 +156,7 @@ WHERE
       p0_cmd LIKE '%/gcloud.py%'
       OR p0_cmd LIKE '%pip install%'
       OR p0_cmd LIKE '%googlecloudsdk/core/metrics_reporter.py%'
+      OR p0_cmd LIKE '%/main.py'
       OR p0_cmd LIKE '%/bin/aws%'
     )
   )
diff --git a/detection/evasion/unexpected-var-run-linux.sql b/detection/evasion/unexpected-var-run-linux.sql
index 932f1d4..ad6e06c 100644
--- a/detection/evasion/unexpected-var-run-linux.sql
+++ b/detection/evasion/unexpected-var-run-linux.sql
@@ -43,6 +43,7 @@ WHERE
     'haproxy.pid',
     "lightdm.pid",
     'mcelog.pid',
+    'nvidia-powerd.pid',
     'motd',
     'nvidia_runtimepm_enabled',
     'nvidia_runtimepm_supported',
diff --git a/detection/evasion/unexpected-var-run-macos.sql b/detection/evasion/unexpected-var-run-macos.sql
index 3d37fff..c9118ac 100644
--- a/detection/evasion/unexpected-var-run-macos.sql
+++ b/detection/evasion/unexpected-var-run-macos.sql
@@ -44,6 +44,7 @@ WHERE
     'FirstBootAfterUpdate',
     'FirstBootCleanupHandled',
     'hdiejectd.pid',
+    'signpost_reporter_running',
     'kdc.pid',
     'prl_disp_service.pid',
     'prl_naptd.pid',
diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql
index eb4cfc9..ba5e4ea 100644
--- a/detection/execution/unexpected-execdir-events-macos.sql
+++ b/detection/execution/unexpected-execdir-events-macos.sql
@@ -121,7 +121,6 @@ WHERE
   AND top3_dir NOT IN (
     '/Library/Apple/System',
     '/Library/Application Support/Adobe',
-    '~/Library/Caches/Cypress',
     '~/Library/Application Support/BraveSoftware',
     '/Library/Application Support/Canon_Inc_IC',
     '~/Library/Application Support/com.elgato.StreamDeck',
@@ -133,8 +132,8 @@ WHERE
     '~/Library/Application Support/zoom.us',
     '~/Library/Caches/com.knollsoft.Rectangle',
     '~/Library/Caches/com.mimestream.Mimestream',
+    '~/Library/Caches/Cypress',
     '~/Library/Caches/JetBrains',
-    '~/.wdm/drivers/chromedriver',
     '~/Library/Caches/snyk',
     '/Library/Developer/CommandLineTools',
     '~/Library/Developer/Xcode',
@@ -145,12 +144,14 @@ WHERE
     '/opt/homebrew/Caskroom',
     '/opt/homebrew/Cellar',
     '/opt/homebrew/Library',
+    '/private/var/kolide-k2',
     '/usr/libexec/AssetCache',
     '/usr/libexec/rosetta',
     '/usr/local/Cellar',
     '/usr/local/kolide-k2',
     '/Volumes/Google Chrome/Google Chrome.app',
     '/Volumes/Slack/Slack.app'
+    '~/.wdm/drivers/chromedriver',
   )
   AND dir NOT IN (
     '/bin',