diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml
new file mode 100644
index 000000000..9182bb218
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_dotnet.yml
@@ -0,0 +1,33 @@
+title: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
+status: experimental
+id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
+author: Beyu Denis, oscd.community
+date: 2020/10/18
+description: dotnet.exe will execute any DLL and execute unsigned code
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml
+    - https://twitter.com/_felamos/status/1204705548668555264
+    - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
+tags:
+    - attack.execution
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Commandline|endswith:
+            - '.dll'
+            - '.csproj'
+        Image|endswith:
+            - '\dotnet.exe'
+    condition: selection
+fields:
+    - ComputerName
+    - User
+    - CommandLine
+    - ParentCommandLine    
+falsepositives:
+    - System administrator Usage
+    - Penetration test 
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml
new file mode 100644
index 000000000..236e747d3
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_msdeploy.yml
@@ -0,0 +1,34 @@
+title: Execute Files with Msdeploy.exe
+status: experimental
+id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
+author: Beyu Denis, oscd.community
+date: 2020/10/18
+description: Detects file execution using the msdeploy.exe lolbin
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml
+    - https://twitter.com/pabraeken/status/995837734379032576
+    - https://twitter.com/pabraeken/status/999090532839313408
+tags:
+    - attack.execution
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Commandline|contains|all:
+            - 'verb:sync'
+            - '-source:RunCommand'
+            - '-dest:runCommand'
+        Image|endswith:
+            - '\msdeploy.exe'
+    condition: selection
+fields:
+    - ComputerName
+    - User
+    - CommandLine
+    - ParentCommandLine    
+falsepositives:
+    - System administrator Usage
+    - Penetration test 
+level: medium
\ No newline at end of file