This detection rule identifies the creation of suspicious screensaver binary files (with a .scr file extension) on Windows systems. Adversaries may leverage screensavers as a persistence mechanism, allowing malicious payloads to execute after a period of user inactivity. Since screensavers are stored as Portable Executable (PE) files, it is crucial to monitor file creation events, especially targeting files that match the .scr extension. The rule filters out known benign screensaver executables such as 'Kindle.exe' and 'ccSvcHst.exe', focusing only on suspicious potential creations that do not belong to these exclusions. By utilizing event logs associated with file creation on Windows systems, the rule aims to proactively detect possible attempts to establish persistence through malicious screensaver files.