Techniques
Sample rules
Cisco Dot1x Disabled
- source: sigma
- technicques:
- t1556
- t1556.004
- t1685
Description
Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface. Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network. This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.
Detection logic
condition: keywords
keywords:
- access-session port-control force-authorized
- authentication port-control force-authorized
- dot1x port-control force-authorized
- no access-session port-control
- no authentication port-control
- no dot1x port-control
- no dot1x system-auth-control