This analytic rule targets the detection of child processes spawned by the Windows Print Spooler service (spoolsv.exe), which runs with high privileges (SYSTEM) on Windows operating systems. By monitoring the relationships between processes, specifically identifying when processes are initiated by spoolsv.exe, it helps to detect potential exploitation attempts related to vulnerabilities such as CVE-2018-8440. The exploitation of this vulnerability can lead to privilege escalation, thereby allowing attackers to execute arbitrary code with SYSTEM privileges and can pose a significant risk to system integrity. The detection is implemented through data collected via Endpoint Detection and Response (EDR) solutions, which capture detailed process execution information. It leverages various data sources, including Sysmon and Windows Event logs, to filter and identify suspicious activities that may need further investigation. This rule is particularly useful for organizations looking to enhance their monitoring capabilities against privilege escalation attacks in environments where the Print Spooler service is running.