diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml
index 6f187cfbd..e47caf118 100644
--- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml
+++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml
@@ -18,6 +18,7 @@ logsource:
     product: windows
     service: powershell
     definition: Module Logging must be enable
+detection:
     selection_4103:
         EventID: 4103
         Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
diff --git a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml
index ab97eb0d9..267532036 100644
--- a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml
+++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml
@@ -2,7 +2,7 @@ title: Zip A Folder With PowerShell For Staging In Temp
 id: daf7eb81-35fd-410d-9d7a-657837e602bb
 related:
     - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
-      related: derived
+      type: derived
 status: experimental
 author: frack113
 date: 2021/07/20
diff --git a/rules/windows/powershell/powershell_adrecon_execution.yml b/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml
similarity index 100%
rename from rules/windows/powershell/powershell_adrecon_execution.yml
rename to rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml
diff --git a/rules/windows/powershell/powershell_automated_collection.yml b/rules/windows/powershell/powershell_script/powershell_automated_collection.yml
similarity index 100%
rename from rules/windows/powershell/powershell_automated_collection.yml
rename to rules/windows/powershell/powershell_script/powershell_automated_collection.yml
diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml
similarity index 100%
rename from rules/windows/powershell/powershell_cl_invocation_lolscript.yml
rename to rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml
diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml
similarity index 100%
rename from rules/windows/powershell/powershell_cl_invocation_lolscript_count.yml
rename to rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml
diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml
similarity index 100%
rename from rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml
rename to rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml
diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml
similarity index 100%
rename from rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_count.yml
rename to rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml
diff --git a/rules/windows/powershell/powershell_create_local_user.yml b/rules/windows/powershell/powershell_script/powershell_create_local_user.yml
similarity index 100%
rename from rules/windows/powershell/powershell_create_local_user.yml
rename to rules/windows/powershell/powershell_script/powershell_create_local_user.yml
diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_script/powershell_data_compressed.yml
similarity index 100%
rename from rules/windows/powershell/powershell_data_compressed.yml
rename to rules/windows/powershell/powershell_script/powershell_data_compressed.yml
diff --git a/rules/windows/powershell/powershell_detect_vm_env.yml b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml
similarity index 100%
rename from rules/windows/powershell/powershell_detect_vm_env.yml
rename to rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml
diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml
similarity index 100%
rename from rules/windows/powershell/powershell_dnscat_execution.yml
rename to rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml
diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml
similarity index 100%
rename from rules/windows/powershell/powershell_icmp_exfiltration.yml
rename to rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml
diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml
similarity index 100%
rename from rules/windows/powershell/powershell_invoke_nightmare.yml
rename to rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml
diff --git a/rules/windows/powershell/powershell_keylogging.yml b/rules/windows/powershell/powershell_script/powershell_keylogging.yml
similarity index 100%
rename from rules/windows/powershell/powershell_keylogging.yml
rename to rules/windows/powershell/powershell_script/powershell_keylogging.yml
diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml
similarity index 100%
rename from rules/windows/powershell/powershell_malicious_commandlets.yml
rename to rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml
diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml
similarity index 100%
rename from rules/windows/powershell/powershell_malicious_keywords.yml
rename to rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml
diff --git a/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml
similarity index 100%
rename from rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml
rename to rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml
diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml
similarity index 100%
rename from rules/windows/powershell/powershell_nishang_malicious_commandlets.yml
rename to rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml
diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml
similarity index 100%
rename from rules/windows/powershell/powershell_ntfs_ads_access.yml
rename to rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml
diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml
similarity index 100%
rename from rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
rename to rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml
diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml
similarity index 100%
rename from rules/windows/powershell/powershell_prompt_credentials.yml
rename to rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml
diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_script/powershell_psattack.yml
similarity index 100%
rename from rules/windows/powershell/powershell_psattack.yml
rename to rules/windows/powershell/powershell_script/powershell_psattack.yml
diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml
similarity index 100%
rename from rules/windows/powershell/powershell_shellcode_b64.yml
rename to rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml
diff --git a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml
similarity index 100%
rename from rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml
rename to rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml
diff --git a/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml
similarity index 100%
rename from rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml
rename to rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml
diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml
similarity index 100%
rename from rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml
rename to rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml
diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml
similarity index 100%
rename from rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml
rename to rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml
diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml
similarity index 100%
rename from rules/windows/powershell/powershell_suspicious_keywords.yml
rename to rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml
diff --git a/rules/windows/powershell/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml
similarity index 100%
rename from rules/windows/powershell/powershell_suspicious_mail_acces.yml
rename to rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml
diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml
similarity index 100%
rename from rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml
rename to rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml
diff --git a/rules/windows/powershell/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml
similarity index 100%
rename from rules/windows/powershell/powershell_suspicious_recon.yml
rename to rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml
diff --git a/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml
similarity index 100%
rename from rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml
rename to rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml
diff --git a/rules/windows/powershell/powershell_timestomp.yml b/rules/windows/powershell/powershell_script/powershell_timestomp.yml
similarity index 100%
rename from rules/windows/powershell/powershell_timestomp.yml
rename to rules/windows/powershell/powershell_script/powershell_timestomp.yml
diff --git a/rules/windows/powershell/powershell_trigger_profiles.yml b/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml
similarity index 100%
rename from rules/windows/powershell/powershell_trigger_profiles.yml
rename to rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml
diff --git a/rules/windows/powershell/powershell_web_request.yml b/rules/windows/powershell/powershell_script/powershell_web_request.yml
similarity index 100%
rename from rules/windows/powershell/powershell_web_request.yml
rename to rules/windows/powershell/powershell_script/powershell_web_request.yml
diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml
similarity index 100%
rename from rules/windows/powershell/powershell_winlogon_helper_dll.yml
rename to rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml
diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml
similarity index 100%
rename from rules/windows/powershell/powershell_wmi_persistence.yml
rename to rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml
diff --git a/rules/windows/powershell/powershell_wmimplant.yml b/rules/windows/powershell/powershell_script/powershell_wmimplant.yml
similarity index 100%
rename from rules/windows/powershell/powershell_wmimplant.yml
rename to rules/windows/powershell/powershell_script/powershell_wmimplant.yml