diff --git a/rules/windows/process_creation/proc_creation_win_sc_query.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_sc_query.yml
similarity index 79%
rename from rules/windows/process_creation/proc_creation_win_sc_query.yml
rename to rules-threat-hunting/windows/process_creation/proc_creation_win_sc_query.yml
index 1cdf5001e7d..39b21139e76 100644
--- a/rules/windows/process_creation/proc_creation_win_sc_query.yml
+++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_sc_query.yml
@@ -6,20 +6,23 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery
 author: frack113
 date: 2021/12/06
-modified: 2022/11/10
+modified: 2024/02/08
 tags:
     - attack.discovery
     - attack.t1007
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
 detection:
     selection_img:
         Image|endswith: '\sc.exe'
-        OriginalFileName|endswith: 'sc.exe'
+        OriginalFileName: 'sc.exe'
     selection_cli:
         CommandLine|contains: ' query'
-    condition: all of selection_*
+    filter_optional_keybase:
+        CommandLine: 'sc query dokan1'
+    condition: all of selection_* and not 1 of filter_optional_*
 falsepositives:
     - Legitimate query of a service by an administrator to get more information such as the state or PID
     - Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1"
diff --git a/rules/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml
similarity index 87%
rename from rules/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml
rename to rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml
index 267eba7f468..03c3bcec0fc 100644
--- a/rules/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml
+++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml
@@ -10,6 +10,7 @@ modified: 2022/12/25
 tags:
     - attack.discovery
     - attack.t1057
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
@@ -20,5 +21,5 @@ detection:
         - OriginalFileName: 'tasklist.exe'
     condition: selection
 falsepositives:
-    - Administrator, hotline ask to user
+    - Likely from users, administrator and different internal and third party applications.
 level: informational
diff --git a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml
new file mode 100644
index 00000000000..565e70fbe28
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml
@@ -0,0 +1,30 @@
+title: Interesting Service Enumeration Via Sc.EXE
+id: e83e8899-c9b2-483b-b355-5decc942b959
+status: experimental
+description: |
+    Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
+    Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
+references:
+    - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+    - https://pentestlab.blog/tag/svchost/
+author: Swachchhanda Shrawan Poudel
+date: 2024/02/12
+tags:
+    - attack.t1003
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\sc.exe'
+        - OriginalFileName: 'sc.exe'
+    selection_cli:
+        CommandLine|contains: 'query'
+    selection_cmd:
+        # Note: add more interesting services
+        CommandLine|contains: 'termservice'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+# Note: can be upgraded to medium after an initial baseline
+level: low
diff --git a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml
new file mode 100644
index 00000000000..ba84150d26b
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml
@@ -0,0 +1,32 @@
+title: Loaded Module Enumeration Via Tasklist.EXE
+id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
+status: experimental
+description: |
+    Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
+    This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
+    In order to dump the process memory or perform other nefarious actions.
+references:
+    - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+    - https://pentestlab.blog/tag/svchost/
+author: Swachchhanda Shrawan Poudel
+date: 2024/02/12
+tags:
+    - attack.t1003
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\tasklist.exe'
+        - OriginalFileName: 'tasklist.exe'
+    selection_flags:
+        CommandLine|contains:
+            - '/m'
+            - '-m'
+    selection_module:
+        # Note: add other interesting modules or binaries
+        CommandLine|contains: 'rdpcorets.dll'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium