{
  "id": "4716",
  "source": "windows_security",
  "category": "Trust",
  "name": "Trusted domain information was modified",
  "priority": "P2",
  "applicable_version": "Windows Server 2008 R2 and later",
  "last_reviewed": "2026-07-13",
  "definition": "Windows Security Event ID 4716 records modification of Active Directory trusted domain information.",
  "trigger_scenarios": "This event is generated on domain controllers when trust settings are modified, including trust type, direction, attributes, and SID filtering state.",
  "key_fields": [
    {
      "field": "TdoType",
      "explanation": "The new trust type. Microsoft documents values including 1 downlevel, 2 uplevel, 3 MIT Kerberos, and 4 DCE."
    },
    {
      "field": "TdoDirection",
      "explanation": "The new trust direction. Value 0 disables the trust, 1 is inbound, 2 is outbound, and 3 is bidirectional."
    },
    {
      "field": "TdoAttributes / SidFilteringEnabled",
      "explanation": "Trust attributes must be converted to hex for interpretation. Microsoft documents values such as 0x4 quarantined domain, 0x8 forest transitive, 0x40 treat as external, 0x80 RC4 encryption for MIT trusts, 0x200 no TGT delegation, and 0x400 PIM trust."
    }
  ],
  "false_positives": [
    "Planned forest migration, merger, or trust-hardening work can legitimately modify trust attributes.",
    "Microsoft documents ANONYMOUS LOGON with Logon ID 0x3E6 during automatic trust password reset; validate related 4724 or 4742 before escalating."
  ],
  "related_event_ids": [
    "4706",
    "4724",
    "4742"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1484.002",
      "technique_name": "Domain Policy Modification: Trust Modification"
    }
  ],
  "detection_notes": "Alert on threshold=1 unplanned 4716 because MITRE T1484.002 covers adversaries modifying domain trust settings to elevate privileges or evade defenses. Prioritize TdoDirection=3, TdoAttributes adding 0x8 forest transitive, 0x40 treat-as-external, 0x80 RC4 on MIT trusts, or 0x400 PIM trust, and any SidFilteringEnabled=Disabled value. Microsoft documents ANONYMOUS LOGON with Logon ID 0x3E6 as possible automatic trust password reset, so correlate with 4724/4742 before treating that specific pattern as malicious.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4716\n| project TimeGenerated, Computer, Account",
  "spl_snippet": "index=wineventlog EventCode=4716 | table _time, host",
  "sample_log": "EventID: 4716\nSubjectUserName: dadmin\nSubjectLogonId: 0x138eb0\nDomainSid: S-1-5-21-2226861337-2836268956-2433141405\nTdoType: 2\nTdoDirection: 3\nTdoAttributes: 64\nSidFilteringEnabled: Disabled",
  "source_url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4716",
  "route": "/windows-events/4716/",
  "canonical_url": "https://soceventlookup.com/windows-events/4716/",
  "json_url": "/api/events/windows-security/4716.json"
}
