diff --git a/rules/windows/sysmon/sysmon_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml
similarity index 68%
rename from rules/windows/sysmon/sysmon_remote_powershell_session_process.yml
rename to rules/windows/process_creation/win_remote_powershell_session_process.yml
index 09b19b64..9367378c 100644
--- a/rules/windows/sysmon/sysmon_remote_powershell_session_process.yml
+++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml
@@ -7,16 +7,13 @@ author: Roberto Rodriguez @Cyb3rWard0g
 references:
     - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
-    selection_1: 
-        EventID: 1
-        Image|endswith: '\wsmprovhost.exe'
-    selection_2:
-        EventID: 1
-        ParentImage|endswith: '\wsmprovhost.exe'
-    condition: selection_1 or selection_2
+    selection:
+        - Image|endswith: '\wsmprovhost.exe'
+        - ParentImage|endswith: '\wsmprovhost.exe'
+    condition: selection
 falsepositives:
     - Unknown
 level: critical
\ No newline at end of file