4614 A notification package (password filter) has been loaded by the SAM
Written when the SAM loads a notification package. In practice this is a password filter DLL, which sits where it is handed the plaintext password on a password change, so a malicious DLL here is a serious threat.
Overview
The subcategory is Audit Security System Extension. It fires each time the SAM (Security Account Manager, which manages account information) loads, at startup, a DLL registered under HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. From Windows Vista on, a notification package effectively means a password filter (a DLL called when a password is set or changed).
How it is triggered
- During startup initialization, when the registered notification package DLLs are loaded.
- When a password filter is added.
Security review points
- A password filter receives the plaintext password when a password is changed. A malicious notification package is easier to write and install than an authentication package yet can steal plaintext, making it extremely dangerous. It maps to MITRE ATT&CK
T1556.002 (Password Filter DLL: abusing password filters to capture credentials). - Always investigate a
Notification Package Namethat is not one of the known, organization-approved values (the standard packages such asscecli/rassfm, which vary by environment).
Notes for log review
- Only a few appear at startup and the values are stable. Maintaining an allow list and alerting on unfamiliar notification package names works well.
- It shares a subcategory with 4610 (authentication package). Monitor the extension modules loaded into the LSA and SAM together.
Key fields
| Field | Meaning |
|---|---|
Notification Package Name | The name of the loaded notification package (password filter) |
Glossary
- Password filter — a DLL called when a password is set or changed, for example to enforce password policy. It can receive the plaintext password.