Blake Johnson led the on-site Mandiant investigation of the operational technology incident where the TRITON framework was recovered. So who better to discuss the sequence of events on the day of the outage caused by TRITON.
He discusses in technical detail:
– the control flow of the python uploader
– why the payload did not persist
– this was a remote access trojan that would deliver another payload. No such payload was recovered in the incident response
– lessons learned in evidence preservation