Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
Detects a suspicious printer driver installation with an empty Manufacturer value
Detects using register-cimprovider.exe to execute arbitrary dll file.
Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
Detect DLL Load from Spooler Service backup folder