What the DLL is happening? A practical approach to identifying SOH.

"What the DLL is happening? A practical approach to identifying SOH." There are many ways adversaries can maliciously leverage Dynamic Link Libraries (DLL). One of the most common is Search Order Hijacking (SOH), a simple technique which provides the means to evade detection, establish persistence, and expand infection. As a DFIR analyst, knowing how to identify SOH during an incident is important, as this can trigger other workflows for memory forensics or reverse engineering. Most of the available information about DLL hijacking focuses on these late-stage workflows, yet overlooks the earlier stages of investigation. This talk will share a profile for SOH and present real-world examples to aid in identifying its setup and usage. Frank McClain is a US Army veteran of the first Gulf War, and an accomplished cyber investigator with deep experience in digital forensics and incident response. He has worked as a DFIR consultant, and managed security operations for a national financial services firm. Frank joined the Red Canary CIRT in 2016, where he performs threat analysis across thousands of endpoints and serves as the Detection Engineering training lead.