diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml
similarity index 100%
rename from rules/windows/powershell/powershell_code_injection.yml
rename to rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml
diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml
index 8a0fa3a33..cc7de5f47 100644
--- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml
+++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
     selection2:
         EventID: 4104
diff --git a/rules/windows/powershell/powershell_create_local_user.yml b/rules/windows/powershell/powershell_create_local_user.yml
index 6fd05f5cb..29961866c 100644
--- a/rules/windows/powershell/powershell_create_local_user.yml
+++ b/rules/windows/powershell/powershell_create_local_user.yml
@@ -17,7 +17,7 @@ modified: 2021/08/04
 logsource:
     product: windows
     service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
     selection:
         EventID: 4104
diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml
index ada73d64b..72ba0304a 100644
--- a/rules/windows/powershell/powershell_data_compressed.yml
+++ b/rules/windows/powershell/powershell_data_compressed.yml
@@ -10,7 +10,7 @@ references:
 logsource:
     product: windows
     service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
     selection:
         EventID: 4104
diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_dnscat_execution.yml
index 63a590f30..bfe388a4c 100644
--- a/rules/windows/powershell/powershell_dnscat_execution.yml
+++ b/rules/windows/powershell/powershell_dnscat_execution.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
     selection:
         EventID: 4104
diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_icmp_exfiltration.yml
index c6e83568c..a9d9036af 100644
--- a/rules/windows/powershell/powershell_icmp_exfiltration.yml
+++ b/rules/windows/powershell/powershell_icmp_exfiltration.yml
@@ -12,7 +12,7 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
     selection:
         EventID: 4104
diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_invoke_nightmare.yml
index 9d7443edb..64e93f5a8 100644
--- a/rules/windows/powershell/powershell_invoke_nightmare.yml
+++ b/rules/windows/powershell/powershell_invoke_nightmare.yml
@@ -9,7 +9,7 @@ author: Max Altgelt, Tobias Michalski
 logsource:
     product: windows
     service: powershell
-    definition: It is recommended to use the new "Script Block Logging" of PowerShell v5.
+    definition: Script Block Logging must be enable
 detection:
   selection:
       EventID: 4104
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml
index 5b638d941..330912c96 100644
--- a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104, Module Logging must be enable for 4103
 detection:
     selection_1:
         EventID: 4104
diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml
index ad4609d8d..34c4ccb08 100644
--- a/rules/windows/powershell/powershell_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_malicious_commandlets.yml
@@ -10,13 +10,13 @@ tags:
     - attack.t1086  #an old one
 author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
 date: 2017/03/05
-modified: 2020/10/11
+modified: 2021/08/21
 logsource:
     product: windows
     service: powershell
-    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
+    definition: Script Block Logging must be enable
 detection:
-    keywords:
+    select_Malicious:
         EventID: 4104
         ScriptBlockText|contains:
             - "Invoke-DllInjection"
@@ -115,10 +115,8 @@ detection:
             - "Invoke-Mimikittenz"
             - "Invoke-AllChecks"
     false_positives:
-        EventID: 4104
-        ScriptBlockText|contains:
-            - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
-    condition: keywords and not false_positives
+        ScriptBlockText|contains: Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
+    condition: select_Malicious and not false_positives
 falsepositives:
     - Penetration testing
 level: high
diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml b/rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml
similarity index 100%
rename from rules/windows/powershell/powershell_cmdline_reversed_strings.yml
rename to rules/windows/process_creation/win_powershell_cmdline_reversed_strings.yml
diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/process_creation/win_powershell_cmdline_special_characters.yml
similarity index 100%
rename from rules/windows/powershell/powershell_cmdline_special_characters.yml
rename to rules/windows/process_creation/win_powershell_cmdline_special_characters.yml
diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml
similarity index 100%
rename from rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml
rename to rules/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml