This detection rule identifies instances where the Windows Print Spooler service (spoolsv.exe) is observed writing a DLL file, which is atypical behavior often associated with exploitation attempts like the PrintNightmare vulnerability (CVE-2021-34527). By monitoring process and filesystem events using the Endpoint datamodel, the rule specifically looks for DLL file creations in the spool directory (\spool\drivers\x64\). The occurrence of this event could indicate an attacker trying to execute malicious payloads through the Print Spooler service, posing a significant risk for unauthorized code execution and system compromise. Prompt endpoint isolation and thorough investigation are advised upon detection of such an event.