This detection rule is designed to identify unauthorized changes to the print driver subsystem in Windows systems, specifically focusing on additional DLL files introduced to the Spool Driver. This behavior is notably associated with the PrintNightmare exploit (CVE-2021-1675), which emerged as a significant vulnerability allowing remote code execution through the Windows Print Spooler service. The rule captures event logs from the endpoint using Sysmon to check for additions of DLL files to the print drivers directory. It filters for specific event codes related to file creation and alteration (EventCode 11 and EventCode 23) which indicate that new DLLs are being loaded into spoolsv.exe. The rule further narrows its focus to files in the system directory related to the Spool Driver by employing a regex match on the target filename. If these conditions are met, it records related event details to aid in incident investigation and response. The techniques leveraged in this detection correspond to persistence mechanisms, particularly through logon autostart execution, allowing threat actors to persist beyond initial actions. This rule highlights the risk posed by malicious software associations linked to known cyber threat groups and emphasizing the importance of monitoring print spooler services for unauthorized changes.