diff --git a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
new file mode 100644
index 000000000..55bbc427e
--- /dev/null
+++ b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml
@@ -0,0 +1,32 @@
+title: DNSCat2 Powershell Implementation Detection Via Process Creation
+id: b11d75d6-d7c1-11ea-87d0-0242ac130003
+status: experimental
+description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
+author: Cian Heasley
+reference:
+    - https://github.com/lukebaggett/dnscat2-powershell
+    - https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html
+    - https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html
+date: 2020/08/08
+tags:
+    - attack.command_and_control
+    - attack.t1071
+    - attack.t1071.004
+    - attack.t1001.003
+    - attack.t1041
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '*\powershell.exe'
+        Image|endswith: '*\nslookup.exe'
+        CommandLine|endswith: '*\nslookup.exe'
+    condition: selection | count(Image) by ParentImage > 100
+fields:
+    - Image
+    - CommandLine
+    - ParentImage
+falsepositives:
+    - Other powershell scripts that call nslookup.exe
+level: high
diff --git a/rules/windows/process_creation/win_mouse_lock.yml b/rules/windows/process_creation/win_mouse_lock.yml
new file mode 100644
index 000000000..9ac5c53a8
--- /dev/null
+++ b/rules/windows/process_creation/win_mouse_lock.yml
@@ -0,0 +1,28 @@
+title: Mouse Lock Credential Gathering
+id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
+status: experimental
+description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
+author: Cian Heasley
+reference:
+    - https://github.com/klsecservices/Publications/blob/master/Incident-Response-Analyst-Report-2020.pdf
+    - https://sourceforge.net/projects/mouselock/
+date: 2020/08/13
+tags:
+    - attack.credential_access
+    - attack.collection
+    - attack.t1056.002
+logsource:
+    category: process_creation
+detection:
+    selection:
+        Product:|contains: 'Mouse Lock'
+        Company:|contains: 'Misc314'
+        CommandLine:|endswith: 'Mouse Lock_*.exe'
+    condition: selection
+fields:
+    - Product
+    - Company
+    - CommandLine
+falsepositives:
+    - Legitimate uses of Mouse Lock software
+level: medium