Get answers from your peers along with millions of IT pros who visit Spiceworks.
Join Now

Hello security experts,

I'm an entry level SOC analyst with a question that I haven't been able to get a definitive answer for through research. On our EDR software, we've been having alerts generate on a particular endpoint that say "RTLDHCP.exe unexpectedly tried to access lsass.exe". These attempts are being blocked by the EDR software, so it's not a particularly alarming issue.

However, I would like to know why this may happen, especially with only one endpoint? From what I've gathered,  RTLDHCP.exe is a REALTEK LAN utility which acts as a bridge between the OS and the REALTEK NIC, used for connecting a computer to the LAN. Lsass.exe, as many of you may know, is responsible for enforcing the security policy on the system and verifies users logging into the system. My guess is that it may have something to do with authentication but that's merely only a guess.

If any of you have some insightful info, I'd appreciate it.

Thanks!


Spiceworks Help Desk

The help desk software for IT. Free.

Track users' IT needs, easily, and with only the features you need.

4 Replies

· · ·
tfl
Mace
OP
tfl This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Great question - and I do not know the answer. It could be that RTLDHCP.exe is attempting to authenticate but that's just a spitball! 

What error events to you see on the affected host? That might give better clues and allow you to resolve the issue,

As for the innerworkings of this code, you might try to contact Realtek. I'd start here (https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en_ and start emailing the relevant email addresses. 

0
· · ·
EminentX
Datil
OP
EminentX This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Have you tried uninstalling and then updating REALTEK driver to see if the issue disappears?

0
· · ·
Doge2TheMoon
Sonora
OP
Doge2TheMoon

Great suggestions from you both. I’ll explore trying to update the REALTEK driver and comment back if I could use anymore assistance. Appreciate the feedback!

0
· · ·
ken525
Serrano
OP
ken525 This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

 If your fleet is comprised of homogenous systems (e.g. all Dell, HP) and similar models and the networks they are connecting to are the same, then I would wipe and replace the system as something acting differently is not good.

Otherwise follow advice given, validate the firmware/drivers/app

0
Oops, something's wrong below.