Hello security experts,
I'm an entry level SOC analyst with a question that I haven't been able to get a definitive answer for through research. On our EDR software, we've been having alerts generate on a particular endpoint that say "RTLDHCP.exe unexpectedly tried to access lsass.exe". These attempts are being blocked by the EDR software, so it's not a particularly alarming issue.
However, I would like to know why this may happen, especially with only one endpoint? From what I've gathered,
RTLDHCP.exe is a REALTEK LAN utility which acts as a bridge between the OS and the REALTEK NIC, used for connecting a computer to the LAN. Lsass.exe, as many of you may know, is responsible for enforcing the security policy on the system and verifies users logging into the system. My guess is that it may have something to do with authentication but that's merely only a guess.
If any of you have some insightful info, I'd appreciate it.
Great question - and I do not know the answer. It could be that RTLDHCP.exe is attempting to authenticate but that's just a spitball!
What error events to you see on the affected host? That might give better clues and allow you to resolve the issue,
As for the innerworkings of this code, you might try to contact Realtek. I'd start here (https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en_ and start emailing the relevant email addresses.
If your fleet is comprised of homogenous systems (e.g. all Dell, HP) and similar models and the networks they are connecting to are the same, then I would wipe and replace the system as something acting differently is not good.
Otherwise follow advice given, validate the firmware/drivers/app