diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml
index d4f1dcd25..5ca45f7d1 100755
--- a/rules/windows/image_load/sysmon_in_memory_powershell.yml
+++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml
@@ -1,5 +1,8 @@
 title: In-memory PowerShell
 id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
+related:
+    - id: 867613fb-fa60-4497-a017-a82df74a172c
+      type: obsoletes
 status: experimental
 description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
 author: Tom Kern, oscd.community, Natalia Shornikova
diff --git a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
deleted file mode 100755
index 111759c39..000000000
--- a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: PowerShell Execution
-id: 867613fb-fa60-4497-a017-a82df74a172c
-description: Detects execution of PowerShell
-status: experimental
-date: 2019/09/12
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
-tags:
-    - attack.execution
-    - attack.t1086          # an old one
-    - attack.t1059.001
-logsource:
-    category: image_load
-    product: windows
-detection:
-    selection: 
-        Description: 'System.Management.Automation'
-        ImageLoaded|contains: 'System.Management.Automation'
-    condition: selection
-fields:
-    - ComputerName
-    - Image
-    - ProcessID
-    - ImageLoaded
-falsepositives:
-    - Unknown
-level: medium