4622 A security package has been loaded by the LSA
Written when the LSA loads a security package (a DLL implementing an authentication protocol such as Kerberos or NTLM). A name not on the default list is a reason to suspect tampering with the authentication path.
Overview
The subcategory is Audit Security System Extension. A security package is a software component implementing a security protocol such as Kerberos, NTLM, or Schannel. It fires each time the LSA (the core authentication process) loads a DLL at startup from the registry value HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. With the AddSecurityPackage API, a package can also be added dynamically outside of startup.
How it is triggered
- LSA initialization at system startup. Windows 10 by default loads
kerberos,msv1_0 (NTLM),schannel,wdigest,tspkg,pku2u,cloudAP,negoexts,Negotiate, and so on. - When something is added dynamically at runtime with
AddSecurityPackage.
Security review points
- Investigate a
Security Package Namethat is not on the default list, or that lives on a path outside System32. If an attacker plants a custom security package (an SSP: Security Support Provider), it can be used for credential theft and persistence. - A load outside startup (a dynamic addition) is especially notable. Like 4610 (authentication package), it is an authentication-layer extension module, so monitor them together.
Notes for log review
- Normally only the default list is loaded at startup and the values are stable. Build an allow list and alert on deviations.
- Note that
wdigestrelates to the setting that keeps plaintext credentials in memory (UseLogonCredential), so while confirming wdigest’s presence in 4622, also watch for changes to that setting (registry auditing).
Key fields
| Field | Meaning |
|---|---|
Security Package Name | The loaded package, in the form DLL path : package name |
Glossary
- SSP (Security Support Provider) — a module that provides an authentication protocol to the LSA. A malicious SSP is abused for credential theft.