diff --git a/rules-emerging-threats/2024/Exploits/cleo-software/win_proc_creation_cleo_exploitation_2024.yml b/rules-emerging-threats/2024/Exploits/cleo-software/win_proc_creation_cleo_exploitation_2024.yml
new file mode 100644
index 00000000000..b872e0afc8b
--- /dev/null
+++ b/rules-emerging-threats/2024/Exploits/cleo-software/win_proc_creation_cleo_exploitation_2024.yml
@@ -0,0 +1,34 @@
+title: Possible Cleo MFT Exploitation 2024
+id: f007b877-02e3-45b7-8501-1b78c2864029
+status: experimental
+description: Detects Powershell spawned from Cleo software.  Evidence of unknown threat actor exploiting the CLEO tooling using this pattern observed in Dec 2024.
+author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
+references:
+    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+date: 2024-12-09
+tags:
+    - attack.execution
+    - attack.t1190
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\javaw.exe'
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains:
+            - 'powershell'
+            - ' -NonInteractive'
+            - ' -noni '
+            - ' -enc '
+            - ' -EncodedCommand'
+        ParentCommandLine|contains:
+            - 'VLTrader'
+            - 'lexicom'
+            - 'Harmony'
+            - 'VersaLex'
+
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml b/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml
new file mode 100644
index 00000000000..3a753bb2a74
--- /dev/null
+++ b/rules/windows/process_creation/win_proc_creation_suspicious_powershell_from_javaw.yml
@@ -0,0 +1,34 @@
+title: Javaw Spawning Suspicious Powershell Commands
+id: a0ec945f-2328-40e9-96f6-27dadf72861b
+status: experimental
+description: Detects Javaw spawning suspicious powershell commands. This has been observed as possible post-exploitation activity of Cleo software.
+author: Chad Hudson, Matt Anderson
+references:
+    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
+date: 2024-12-09
+tags:
+    - attack.t1059.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith:
+            - '\javaw.exe'
+        Image|endswith:
+            - '\cmd.exe'
+    cmdline:
+        CommandLine|contains:
+            - ' -nop'
+            - ' -noni'
+            - ' -NonInteractive'
+            - ' -w hidden '
+            - ' -windowstyle hidden*'
+            - '(New-Object Net.WebClient).Download*'
+            - ' -enc '
+            - ' -EncodedCommand '
+    powershell:
+        CommandLine|contains: powershell
+    condition: selection and cmdline and powershell
+falsepositives:
+    - Unknown