4706 A new trust was created to a domain
Written when a new trust relationship to a domain is created. A trust is a path for accepting authentication between domains/forests, so adding a rogue trust can become an attack foothold.
Overview
The subcategory is Audit Authentication Policy Change. It is generated only on domain controllers. It is recorded when a new trust (a relationship that accepts authentication from another domain/forest) is established, and includes the trust type, direction, and SID filtering state.
How it is triggered
- Creation of a domain/forest trust by an administrator or tool.
- It occurs on domain controllers.
Security review points
- Creating a trust is a significant configuration change; if unplanned, always investigate. If an attacker adds a trust to a malicious domain, they can create a path for accepting authentication from outside.
- Pay attention to the SID filtering state. A trust with filtering disabled risks allowing cross-trust privilege escalation that abuses
SID History. - Together with trust modification 4716 and removal 4707, track changes to trust relationships.
Notes for log review
- It is normally a rare operation. Treat even one occurrence as a high-priority event and confirm it was a planned change.
- Record the trust direction (one-way/two-way), type (external/forest), and SID filtering setting, and match against your security requirements.
Key fields
| Field | Meaning |
|---|---|
Domain Name | The trusted domain |
Trust Direction / Trust Type | The direction and type of the trust |
SID Filtering | Whether SID filtering is enabled |
Subject\Account Name | The account that created the trust |
Glossary
- Trust — a relationship in which one domain accepts authentication from another domain/forest. The broader its scope, the more it becomes a potential attack path.