diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/win_mal_flowcloud.yml
new file mode 100644
index 000000000..566fce0d4
--- /dev/null
+++ b/rules/windows/malware/win_mal_flowcloud.yml
@@ -0,0 +1,28 @@
+title: FlowCloud Malware
+id: 5118765f-6657-4ddb-a487-d7bd673abbf1
+status: experimental
+description: Detects FlowCloud malware from threat group TA410.
+references:
+  - https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
+author: NVISO
+tags:
+  - attack.persistence
+  - attack.t1112
+date: 2020/06/09
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  selection:
+    EventID:
+      - 12 # key create
+      - 13 # value set
+    TargetObject:
+      - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
+      - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
+      - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
+      - 'HKLM\SYSTEM\Setup\PrintResponsor\*'
+  condition: selection
+falsepositives:
+  - Unknown
+level: critical
diff --git a/rules/windows/malware/win_mal_octopus_scanner.yml b/rules/windows/malware/win_mal_octopus_scanner.yml
new file mode 100644
index 000000000..4e7a58883
--- /dev/null
+++ b/rules/windows/malware/win_mal_octopus_scanner.yml
@@ -0,0 +1,24 @@
+title: Octopus Scanner Malware
+id: 805c55d9-31e6-4846-9878-c34c75054fe9
+status: experimental
+description: Detects Octopus Scanner Malware.
+references:
+  - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
+tags:
+  - attack.t1195
+author: NVISO
+date: 2020/06/09
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  filecreate:
+    EventID: 11
+  selection:
+    TargetFilename|endswith:
+      - '\AppData\Local\Microsoft\Cache134.dat'
+      - '\AppData\Local\Microsoft\ExplorerSync.db'
+  condition: filecreate and selection
+falsepositives:
+  - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml
new file mode 100644
index 000000000..3bb4c1aae
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml
@@ -0,0 +1,27 @@
+title: DNS Tunnel Technique from MuddyWater
+id: 36222790-0d43-4fe8-86e4-674b27809543
+description: Detecting DNS tunnel activity for Muddywater actor
+author: '@caliskanfurkan_'
+status: experimental
+date: 2020/06/04
+references:
+    - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
+    - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
+tags:
+    - attack.command_and_control
+    - attack.t1071
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\powershell.exe'
+        ParentImage|endswith:
+            - '\excel.exe'
+        CommandLine|contains:
+            - 'DataExchange.dll'
+    condition: selection
+falsepositives:
+    - Unkown
+level: critical