This detection rule targets exploits associated with a specific Windows Print Spooler vulnerability (CVE-2020-1030) that enables privilege escalation by allowing unauthorized DLLs to be loaded into the print spooler process running with SYSTEM privileges. The rule works by identifying suspicious modifications in the Windows registry that pertain to the print spooler's configuration, specifically focusing on the registry paths for spool directories and payload modules. The rule employs a sequence query in EQL (Elastic Query Language) to detect patterns indicative of exploitation attempts over the past nine months. It specifies paths in the Windows registry where adversaries might insert malicious payloads to facilitate the attack, thus signaling potential malicious activity when changes are detected. The rule is marked as high severity due to the critical nature of the vulnerability and the potential impact of successful exploitation. Additionally, the rule includes guidance for investigation, remediation, and false positive analysis to assist security teams in responding effectively to alerts generated by this rule.