diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml
new file mode 100644
index 000000000..599ae9188
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml
@@ -0,0 +1,25 @@
+title: SilentProcessExit Monitor Registrytion
+id: c81fe886-cac0-4913-a511-2822d72ff505
+description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
+author: Florian Roth
+references:
+    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
+date: 2021/02/26
+tags:
+    - attack.persistence
+    - attack.t1546.012
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection:       
+        TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit'
+        Details|contain: 'MonitorProcess'
+        EventType:
+            - SetValue
+            - CreateValue
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml
new file mode 100644
index 000000000..bafd3cbd2
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml
@@ -0,0 +1,24 @@
+title: SilentProcessExit Monitor Registrytion for LSASS
+id: 55e29995-75e7-451a-bef0-6225e2f13597
+description: Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory
+author: Florian Roth
+references:
+    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
+    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+date: 2021/02/26
+tags:
+    - attack.credential_access
+    - attack.t1003.007
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection:       
+        TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
+        EventType:
+            - SetValue
+            - CreateValue
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
\ No newline at end of file