4610 An authentication package has been loaded by the LSA

Written when the LSA loads an authentication package (a DLL that implements an authentication method). A package other than the default is a clue that the authentication path may have been tampered with.

Overview

The subcategory is Audit Security System Extension. It fires each time the LSA (Local Security Authority, the core process that handles authentication) loads, at startup, a DLL registered under the registry value HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages. By default Windows 10 loads only one: msv1_0.DLL : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0.

How it is triggered

• LSA initialization during system startup.
• When an authentication package is added and loaded.

Security review points

• Always investigate an Authentication Package Name other than the default msv1_0. If an attacker registers a malicious DLL and has the LSA load it, it can be used for credential theft and for persistence across reboots. In MITRE ATT&CK this maps to T1547.005 (Security Support Provider: planting a custom module in the LSA).
• A DLL on a path outside System32, or a package with an unfamiliar name, is especially suspect.

Notes for log review

• Normally only a few appear at startup, and the steady-state value is fixed. Building an allow list of the default DLLs and alerting on anything else works well.
• 4614 (password filter loading) is in the same Security System Extension subcategory. Monitoring the two together, as “what got loaded into the LSA or SAM,” makes authentication-layer tampering easier to catch in one place.

Key fields

References

• Microsoft Learn: 4610(S) An authentication package has been loaded by the LSA.
• ired.team: Intercepting Logon Credentials via Custom SSP and Authentication Packages
• Ultimate Windows Security: Event ID 4610