4716 Trusted domain information was modified
Written when the information of an existing domain trust is changed. Modifying trust settings, such as disabling SID filtering, can widen the attack path, making it an important event.
Overview
The subcategory is Audit Authentication Policy Change. It is generated only on domain controllers. It is recorded when an existing trust’s attributes (direction, type, SID filtering, encryption, and so on) are changed.
How it is triggered
- A settings change to an existing domain/forest trust.
- It occurs on domain controllers.
Security review points
- Disabling SID filtering in particular warrants alarm. With filtering off, cross-trust privilege escalation becomes possible by abusing
SID Historyto bring privileged SIDs in from the trusting side. - Changes that make a trust two-way or broaden the authentication scope also widen the attack path. Together with creation 4706 and removal 4707, track the trust’s state changes.
Notes for log review
- It is a rare change. If unplanned, it is a high-priority event to always investigate.
- Record the SID filtering state and trust direction before and after, and detect deviations from your security requirements (especially disabling filtering).
Key fields
| Field | Meaning |
|---|---|
Domain Name | The trusted domain in question |
SID Filtering | Whether SID filtering is enabled |
Trust Direction / Trust Type | The trust direction and type after the change |
Subject\Account Name | The account that made the change |