Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
Detect DLL Load from Spooler Service backup folder
Looks for the execution of svchost without the normal -k parameter. Inspired by the 2022 Red Canary Threat Detection report.
Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
Detects a suspicious printer driver installation with an empty Manufacturer value
Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes
Detects using register-cimprovider.exe to execute arbitrary dll file.
Detects Windows 7 calc.exe loading DLLs from suspicious or abnormal file paths.