Jaa


4716(S): Trusted domain information was modified.

Event 4716 illustration

Subcategory: Audit Authentication Policy Change

Event Description:

This event generates when the trust was modified.

This event is generated only on domain controllers.

Note  For recommendations, see Security Monitoring Recommendations for this event.


Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>4716</EventID> 
 <Version>0</Version> 
 <Level>0</Level> 
 <Task>13569</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8020000000000000</Keywords> 
 <TimeCreated SystemTime="2015-10-01T22:55:54.560735500Z" /> 
 <EventRecordID>1049763</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="500" ThreadID="4920" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
 <Data Name="SubjectUserName">dadmin</Data> 
 <Data Name="SubjectDomainName">CONTOSO</Data> 
 <Data Name="SubjectLogonId">0x138eb0</Data> 
 <Data Name="DomainName">-</Data> 
 <Data Name="DomainSid">S-1-5-21-2226861337-2836268956-2433141405</Data> 
 <Data Name="TdoType">2</Data> 
 <Data Name="TdoDirection">3</Data> 
 <Data Name="TdoAttributes">32</Data> 
 <Data Name="SidFilteringEnabled">-</Data> 
 </EventData>
 </Event>

Required Server Roles: Active Directory domain controller.

Minimum OS Version: Windows Server 2008.

Event Versions: 0.

Field Descriptions:

Subject:

  • Security ID [Type = SID]: SID of account that requested the “modify domain trust settings” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

Note  A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers.

  • Account Name [Type = UnicodeString]: the name of the account that requested the “modify domain trust settings” operation.

  • Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include the following:

    • Domain NETBIOS name example: CONTOSO

    • Lowercase full domain name: contoso.local

    • Uppercase full domain name: CONTOSO.LOCAL

    • For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

    • For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

  • Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

Trusted Domain:

  • Domain Name [Type = UnicodeString]: the name of changed trusted domain. If this attribute was not changed, then it will have “-“ value.

  • Domain ID [Type = SID]: SID of changed trusted domain. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

New Trust Information:

  • Trust Type [Type = UInt32]: the type of new trust. If this attribute was not changed, then it will have “-“ value or its old value. The following table contains possible values for this field:
Value Attribute Value Description
1 TRUST_TYPE_DOWNLEVEL The domain controller of the trusted domain is a computer running an operating system earlier than Windows 2000.
2 TRUST_TYPE_UPLEVEL The domain controller of the trusted domain is a computer running Windows 2000 or later.
3 TRUST_TYPE_MIT The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a SID is not required for the TDO, and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [RFC4120] section 8.1).
4 TRUST_TYPE_DCE The trusted domain is a DCE realm. Historical reference, this value is not used in Windows.
  • Trust Direction [Type = UInt32]: the direction of new trust. If this attribute was not changed, then it will have “-“ value or its old value. The following table contains possible values for this field:
Value Attribute Value Description
0 TRUST_DIRECTION_DISABLED The trust relationship exists, but it has been disabled.
1 TRUST_DIRECTION_INBOUND The trusted domain trusts the primary domain to perform operations such as name lookups and authentication.
2 TRUST_DIRECTION_OUTBOUND The primary domain trusts the trusted domain to perform operations such as name lookups and authentication.
3 TRUST_DIRECTION_BIDIRECTIONAL Both domains trust one another for operations such as name lookups and authentication.
  • Trust Attributes [Type = UInt32]: the decimal value of attributes for new trust. You need convert decimal value to hexadecimal and find it in the table below. If this attribute was not changed, then it will have “-“ value or its old value. The following table contains possible values for this field:
Value Attribute Value Description
0x1 TRUST_ATTRIBUTE_NON_TRANSITIVE If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage.
0x2 TRUST_ATTRIBUTE_UPLEVEL_ONLY If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. Netlogon does not consume trust objects that have this flag set.
0x4 TRUST_ATTRIBUTE_QUARANTINED_DOMAIN If this bit is set, the trusted domain is quarantined and is subject to the rules of SID Filtering as described in [MS-PAC] section 4.1.2.2.
0x8 TRUST_ATTRIBUTE_FOREST_TRANSITIVE If this bit is set, the trust link is a cross-forest trust [MS-KILE] between the root domains of two forests, both of which are running in a forest functional level of DS_BEHAVIOR_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS_BEHAVIOR_WIN2003 or greater.
0x10 TRUST_ATTRIBUTE_CROSS_ORGANIZATION If this bit is set, then the trust is to a domain or forest that is not part of the organization. The behavior controlled by this bit is explained in [MS-KILE] section 3.3.5.7.5 and [MS-APDS] section 3.1.5.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Can only be set if forest and trusted forest are running in a forest functional level of DS_BEHAVIOR_WIN2003 or greater.
0x20 TRUST_ATTRIBUTE_WITHIN_FOREST If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
0x40 TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently filtered than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST_ATTRIBUTE_FOREST_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS_BEHAVIOR_WIN2003 or greater.
0x80 TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION This bit is set on trusts with the trustType set to TRUST_TYPE_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([RFC4120], [RFC3961]). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [MS-KILE], so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section 6.1.6.9.1.
Only evaluated on TRUST_TYPE_MIT
0x200 TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [MS-KILE] section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
0x400 TRUST_ATTRIBUTE_PIM_TRUST If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [MS-PAC] section 4.1.2.2.
Evaluated only on Windows Server 2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST_ATTRIBUTE_FOREST_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS_BEHAVIOR_WINTHRESHOLD or greater.
  • SID Filtering [Type = UnicodeString]: SID Filtering state for the new trust:

    • Enabled

    • Disabled

      If this attribute was not changed, then it will have “-“ value or its old value.

Security Monitoring Recommendations

For 4716(S): Trusted domain information was modified.

  • Any changes in Active Directory domain trust settings must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.

Anonymous Logon account

If the account reported in the event is Anonymous Logon, it means the password is changed by system automatic password reset. For example:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          <time>
Event ID:      4716
Task Category: Authentication Policy Change
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      <fqdn>
Description:
Trusted domain information was modified.    //When trust gets reset, this event generates
Subject:
 Security ID:  ANONYMOUS LOGON              //Confirms that anonymous logon account is reported when Automatic password reset for the trust is performed
 Account Name:  ANONYMOUS LOGON
 Account Domain:  NT AUTHORITY
 Logon ID:  0x3E6

After event 4716, you may see either event 4724 or event 4742 or both:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          <time>
Event ID:      4724
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      <FQDN>
Description:
An attempt was made to reset an account's password.

Subject:
	Security ID:		ANONYMOUS LOGON
	Account Name:		ANONYMOUS LOGON
	Account Domain:		NT AUTHORITY
	Logon ID:		0x3E6

Target Account:
	Security ID:		CONTOSO\CONTOSOPEERTREE$     //OBJECT representing the TRUST object
	Account Name:		CONTOSOPEERTREE$
	Account Domain:		CONTOSO
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          <time>
Event ID:      4742
Task Category: Computer Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      <FQDN>
Description:
A computer account was changed.

Subject:
	Security ID:		ANONYMOUS LOGON
	Account Name:		ANONYMOUS LOGON
	Account Domain:		NT AUTHORITY
	Logon ID:		0x3E6

Computer Account That Was Changed:
	Security ID:		CONTOSO\CONTOSOPEERTREE$
	Account Name:		CONTOSOPEERTREE$
	Account Domain:		CONTOSO

Changed Attributes:
	...
	Password Last Set:	<time>
	...

Additional Information:
	Privileges:		-