First part of MAC addresses were being changed to non-compliant MAC address in network

Question

Several machines on my network have a MAC address that is beginning with the same three first pairs of numbers for example

The MAC cannot be found in the IEEE, but when I reboot the machines they get new MAC addresses with the same ending but updated three first pairs of numbers. I can't figure out what is happening here. Is this an attack? I thought that MAC addresses stay fixed so long as no one has root access. All the machines are connected by Ethernet LAN.

Answer 1

I thought that MAC addresses stay fixed so long as no one has root access.

And I think that's generally true. However, someone (with root access) might have configured the system in a certain way, that keeps randomizing the MAC address. There's lots of ways to do this, so unfortunately you'll probably have to check every software that runs on those devices, and check its settings. Even Windows itself could be responsible for doing the MAC address changes:

When you're not connected to Wi-Fi, your PC sends a signal to look for Wi-Fi networks in the area to help you get connected. The signal contains the unique physical hardware (MAC) address for your device.

Some places, for example shopping malls, stores, or other public areas, might use this unique address to track your movement in that area. If your Wi-Fi hardware supports it, you can turn on random hardware addresses to make it harder for people to track you when your PC scans for networks and connects.

How to use random hardware addresses in Windows

Source: https://support.microsoft.com/en-us/windows/why-use-random-hardware-addresses-060ad2e9-526e-4f1c-9f3d-fe6a842640ed