diff --git a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml
index f335f7597..7ea7aada0 100644
--- a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml
+++ b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml
@@ -1,10 +1,7 @@
 title: Path To Screensaver Binary Modified
 id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
 status: experimental
-description: >
-  Detects value modification of registry key containing path to binary used as screensaver. 
-  Adversaries may establish persistence by executing malicious content triggered by user inactivity. 
-  Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.
+description: Detects value modification of registry key containing path to binary used as screensaver.
 references:
   - https://attack.mitre.org/techniques/T1546/002/
   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
@@ -22,7 +19,9 @@ detection:
   selection:
     TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
   filter:
-    ParentImage: 'C:\Windows\System32\services.exe'
+    Image|endswith:
+      - '\rundll32.exe'
+      - '\explorer.exe'
   condition: selection and not filter
 level: medium
 falsepositives: