This detection rule identifies the creation or modification of print drivers with suspicious file names, which may indicate attempts to exploit vulnerabilities in the Print Spooler service, particularly relating to the PrintNightmare vulnerability (CVE-2021-34527). The rule leverages event data from Windows logs and has a high severity risk score of 73. It checks for activity related to the 'spoolsv.exe' process, monitoring for file actions on specific DLLs located in the Windows System32 directory related to print drivers. When triggered, it indicates a potential privilege escalation attempt, requiring further investigation to ensure system integrity. The rule supports both Sysmon and Elastic Endpoint data sources. Further reference can be made to the MITRE ATT&CK framework techniques associated with privilege escalation.