diff --git a/rules/windows/sysmon/sysmon_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml
similarity index 94%
rename from rules/windows/sysmon/sysmon_control_panel_item.yml
rename to rules/windows/process_creation/win_control_panel_item.yml
index 0f34beb93..254a4ae13 100644
--- a/rules/windows/sysmon/sysmon_control_panel_item.yml
+++ b/rules/windows/process_creation/win_control_panel_item.yml
@@ -12,7 +12,7 @@ date: 2019/08/27
 level: critical
 logsource:
   product: windows
-  service: sysmon
+  category: process_creation
 detection:
   selection:
     CommandLine: '*.cpl'
diff --git a/rules/windows/sysmon/sysmon_powersploit_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml
similarity index 95%
rename from rules/windows/sysmon/sysmon_powersploit_schtasks.yml
rename to rules/windows/process_creation/win_powersploit_empire_schtasks.yml
index bf8d355f0..cf9a1d685 100644
--- a/rules/windows/sysmon/sysmon_powersploit_schtasks.yml
+++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml
@@ -9,11 +9,11 @@ author: Markus Neis, @Karneades
 date: 2018/03/06
 logsource:
     product: windows
-    service: sysmon
+    category: process_creation
 detection:
     selection:
         ParentImage:
-            - '*\Powershell.exe'
+            - '*\powershell.exe'
         CommandLine:
             - '*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*'
             - '*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*'
diff --git a/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml
similarity index 100%
rename from rules/windows/sysmon/sysmon_win10_sched_task_0day.yml
rename to rules/windows/process_creation/win_win10_sched_task_0day.yml