Detection, Review authentication and access logs for municipal systems covering the July 2024 window. Search for lateral movement indicators, anomalous data export volumes, or unauthorized account creation during that period. Because no IOCs have been publicly released, focus detection on behavioral anomalies rather than signature-based matching. If your organization shares infrastructure with North Carolina municipal networks, query SIEM logs for unusual outbound data transfers in July 2024.
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: correlate authentication anomalies, lateral movement indicators, and bulk data transfer events from the July 2024 attack window using behavioral analysis in the absence of published IOCs.
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Without a SIEM, query Windows Security Event Log directly using PowerShell: 'Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[@SystemTime>='2024-07-01T00:00:00'] and TimeCreated[@SystemTime<='2024-07-31T23:59:59']]]" | Where-Object {$_.Id -in @(4624,4625,4648,4720,4732,4776)}' to surface successful/failed logins, explicit credential use, new account creation, and group membership changes. For bulk data export detection, query Windows Security Event Log for Event ID 4663 (Object Access — file read) on directories containing resident PII databases, filtered to accounts reading >500 files within a one-hour window in July 2024. On Linux/web systems, use 'awk' against auth.log and syslog for the July 2024 date range to identify SSH logins from unusual source IPs. For outbound transfer volume, parse firewall or proxy logs with grep/awk to identify sessions transferring >100MB to external IPs during that window.
Preserve Evidence
Preserve Windows Security Event Log exports (EVTX format) for Event IDs 4624 (Logon), 4625 (Failed Logon), 4648 (Explicit Credential Use), 4720 (Account Created), 4732 (Added to Security-Enabled Group), 4776 (Credential Validation), and 4663 (Object Access) covering June–August 2024 before any log rotation clears them. Collect VPN authentication logs and remote access gateway logs (e.g., Citrix, RDP gateway, FortiGate SSL-VPN) for the same window. Preserve database query logs (SQL Server trace logs or PostgreSQL pg_log) for PII repositories showing bulk SELECT or export operations in July 2024. On Linux systems, collect /var/log/auth.log, /var/log/secure, and /var/log/syslog for the July 2024 window. Capture current Active Directory replication metadata ('repadmin /showrepl') to identify any rogue domain controllers or unauthorized schema changes that may have persisted.
