diff --git a/rules/windows/process_creation/win_pc_esentutl_webcache.yml b/rules/windows/process_creation/win_pc_esentutl_webcache.yml
new file mode 100644
index 000000000..8ebe9fc75
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_esentutl_webcache.yml
@@ -0,0 +1,25 @@
+title: Esentutl Steals Browser Information 
+id: 6a69f62d-ce75-4b57-8dce-6351eb55b362
+status: experimental
+description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
+references:
+    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
+    - https://redcanary.com/threat-detection-report/threats/qbot/
+author: frack113
+date: 2022/02/13
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: \esentutl.exe
+        CommandLine|contains|all:
+            - '/r '
+            - '\Windows\WebCache'
+    condition: selection
+falsepositives:
+    - legitimate use
+level: medium
+tags:
+    - attack.collection
+    - attack.t1005
diff --git a/rules/windows/process_creation/win_pc_reg_defender_exclusion.yml b/rules/windows/process_creation/win_pc_reg_defender_exclusion.yml
new file mode 100644
index 000000000..6bf0ed714
--- /dev/null
+++ b/rules/windows/process_creation/win_pc_reg_defender_exclusion.yml
@@ -0,0 +1,32 @@
+title: Registry Defender Exclusions
+id: 48917adc-a28e-4f5d-b729-11e75da8941f
+status: experimental
+description: Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData.
+references:
+    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
+    - https://redcanary.com/threat-detection-report/threats/qbot/
+author: frack113
+date: 2022/02/13
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: \reg.exe
+        CommandLine|contains:
+            - 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\'
+            - 'HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
+        CommandLine|contains|all:
+            - 'ADD '
+            - '/t '
+            - 'REG_DWORD '
+            - '/v '
+            - '/d '
+            - '0'
+    condition: selection
+falsepositives:
+    - legitimate use
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001