Cisco Dot1x Disabled

Rule Info

Name
Cisco Dot1x Disabled
Author
Luc GĂ©naux
Description
Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface. Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network. This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.
Reference
https://www.cisco.com/en/US/docs/ios-xml/ios/san/command/san-xe-3se-3850-cr-book_chapter_00.html#wp3394428680
Date
2026-04-28 00:00:00
Modified
None
Id
ef0ff092-a24a-4fbc-beea-06c08d53e085
Tags
attack.persistence attack.credential-access attack.defense-impairment attack.t1685 attack.t1556.004
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=ef0ff092-a24a-4fbc-beea-06c08d53e085

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
EzLucky
Merge PR #5909 from @EzLucky - Add `Cisco Dot1x Disabled`
2026-04-28
6f4cb70fd
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022