Conference Talk
12:45 – 1:45 PM (ET)
Copy That: Tracking and clustering ClickFix campaigns
Paste and run (aka ClickFix, fakeCAPTCHA) has been one of the most successful initial execution vectors in the past year. Since its first reported use in March 2024, it’s been used by a number of adversaries to deliver more than 10 different malicious payloads in a variety of campaigns. Red Canary has certainly seen our fair share of users tricked into copying, pasting, and executing malicious code using this technique. In this talk we’ll scrutinize paste and run, and I’ll dig into some of the threat intelligence challenges we faced tracking and clustering this threat from an endpoint perspective. Attendees will learn about the Red Canary threat intel team’s research into this threat over the past year and walk away with practicable detection opportunities.
Meet The Speaker
Stef Rand
Senior Intelligence Analyst
Conference Talk
1:45 PM – 2:15 PM (ET)
Threat hunting in your identity stack
This talk will walk through how to structure and execute effective identity centric hunts. Identity is the new perimeter and a critical component in modern threats, as attackers increasingly exploit tokens, sessions, and human behavior.
We’ll start by discussing how to baseline normal behavior, formulate hunting hypotheses, and identify meaningful deviations in authentication. You’ll learn how to differentiate between false positives and benign true positives, avoid common pitfalls in chasing low-context anomalies, and uncover how seemingly benign events can offer deep insight into user behavior, misconfigurations, and organizational risk.
We will examine patterns observed after account compromise, focusing on how threat actors quietly maintain access, explore systems, and attempt to achieve their objectives. Whether working in Microsoft Entra, Okta, AWS, or GCP, this session will provide a practical approach to identity focused threat hunting in modern environments.