diff --git a/Hunting Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml b/Hunting Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml
new file mode 100644
index 0000000000..58a34346ec
--- /dev/null
+++ b/Hunting Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml	
@@ -0,0 +1,32 @@
+id: 87c1f90a-f868-4528-a9c1-15520249cae6
+name: Nishang Reverse TCP Shell in Base64
+description: |
+  'Looks for Base64-encoded commands associated with the Nishang reverse TCP shell.
+  Ref: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1'
+requiredDataConnectors:
+  - connectorId: SecurityEvents
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - Exfiltration
+relevantTechniques:
+  - T1011
+query: |
+SecurityEvent
+| where EventID == 4688
+| where Process in("powershell.exe","powershell_ise.exe") and CommandLine contains "-e" 
+| mvexpand SS = split(CommandLine, " ") 
+| where SS matches regex "[A-Za-z0-9+/]{50,}[=]{0,2}" 
+| extend DecodeString = base64_decodestring(tostring(SS)) 
+| extend FinalString = replace("\\0", "", DecodeString) 
+| where FinalString has "tcpclient" and FinalString contains "$" and (FinalString contains "invoke" or FinalString contains "iex") 
+| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
\ No newline at end of file
diff --git a/Hunting Queries/SecurityEvent/PowerCatDownload.yaml b/Hunting Queries/SecurityEvent/PowerCatDownload.yaml
index aa3312ac9e..3eefc81b5f 100644
--- a/Hunting Queries/SecurityEvent/PowerCatDownload.yaml	
+++ b/Hunting Queries/SecurityEvent/PowerCatDownload.yaml	
@@ -14,7 +14,7 @@ query: |
   SecurityEvent
   | where EventID == 4688
   | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
-  | where CommandLine has "https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1"
+  | where CommandLine hassuffix "powercat.ps1"
   | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
 entityMappings:
   - entityType: Account
diff --git a/Hunting Queries/SecurityEvent/ProcdumpofLsass.yaml b/Hunting Queries/SecurityEvent/ProcdumpofLsass.yaml
new file mode 100644
index 0000000000..6b7972eb19
--- /dev/null
+++ b/Hunting Queries/SecurityEvent/ProcdumpofLsass.yaml	
@@ -0,0 +1,25 @@
+id: 58fe8fc8-54fa-48cd-bac3-197f8d862429
+name: Procdump of LSASS memory
+description: |
+  'Look for evidence of Procdump being used to dump LSASS process. Often used by attackers to access credentials stored on a system.'
+requiredDataConnectors:
+  - connectorId: SecurityEvents
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - CredentialAccess
+relevantTechniques:
+  - T1003
+query: |
+  SecurityEvent 
+  | where (Process has_any ("procdump.exe", "procdump64.exe") and CommandLine has "lsass")
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
\ No newline at end of file
diff --git a/Sample Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilities-March2021.csv b/Sample Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilities-March2021.csv
new file mode 100644
index 0000000000..85d896a338
--- /dev/null
+++ b/Sample Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilities-March2021.csv	
@@ -0,0 +1 @@
+DateAdded,IoC,Type,TLP,Release
\ No newline at end of file