Many Windows binaries that can be abused by attackers to make undesired network connections do not need network connectivity for 'normal' functionality. With the Windows firewall, we can therefore create rules to block outbound network connections from these binaries as an additional layer of protection.
Note: Depending on your environment, these firewall rules may cause issues. Test before implementing.
These rules have been in place in my personal network without issue:
New-NetFirewallRule -DisplayName "regsvr32 block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\regsvr32.exe" -Action Block