Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.

Detects a suspicious printer driver installation with an empty Manufacturer value

Detects using register-cimprovider.exe to execute arbitrary dll file.

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

Detect DLL Load from Spooler Service backup folder