This detection rule focuses on identifying unusual behavior from the Print Spooler service (spoolsv.exe) on Windows systems, as it may indicate attempts to exploit privilege escalation vulnerabilities. The rule specifically looks for unusual child processes spawned by the Print Spooler within the last 9 months, using EQL (Event Query Language) to detect when the Print Spooler launches child processes that do not conform to expected behavior. The rule incorporates a list of exclusions for known legitimate processes and command lines to minimize false positives. The risk score assigned to the detection is 47, placing it at medium severity. Relevant guidance for setup, triage, investigation, and false positive analysis is also provided to assist security teams in effectively utilizing and responding to alerts generated by this rule.