Skip to content

Hide Navigation Hide TOC

Cisco Dot1x Disabled (ef0ff092-a24a-4fbc-beea-06c08d53e085)

Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface. Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network. This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Cisco Dot1x Disabled (ef0ff092-a24a-4fbc-beea-06c08d53e085) Sigma-Rules 1
Cisco Dot1x Disabled (ef0ff092-a24a-4fbc-beea-06c08d53e085) Sigma-Rules Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd) Attack Pattern 1
Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2