“What the DLL is happening? A practical approach to identifying SOH” By Frank McClain
Thursday, July 16, 2:45–3:20 PM (ET)
There are many ways adversaries can maliciously leverage Dynamic Link Libraries (DLL). One of the most common is Search Order Hijacking (SOH), a simple technique which provides the means to evade detection, establish persistence, and expand infection. As a DFIR analyst, knowing how to identify SOH during an incident is important, as this can trigger other workflows for memory forensics or reverse engineering.
Most of the available information about DLL hijacking focuses on these late stage workflows yet overlooks the earlier stages of investigation. This talk will share a profile for SOH and present real-world examples to aid in identifying its setup and usage.