T1505.005 Terminal Services DLL Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1505.005 — Terminal Services DLL persistence detection
// Monitor termsrv.dll modification and ServiceDll registry key changes
// Part 1: Detect modification of termsrv.dll
let TermsrvMod = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName =~ "termsrv.dll"
| where ActionType in ("FileModified", "FileCreated")
| where InitiatingProcessFileName !in~ ("TrustedInstaller.exe", "wusa.exe", "dism.exe",
                                         "msiexec.exe", "setup.exe", "svchost.exe")
| extend DetectionType = "TermSrv_DLL_Modified"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect TermService ServiceDll registry key modification
let TermServiceReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_all ("TermService", "Parameters")
| where RegistryValueName =~ "ServiceDll"
| extend DetectionType = "TermService_ServiceDll_Modified"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect suspicious DLLs loaded by svchost.exe for TermService
let TermServiceDLL = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessCommandLine has "TermService"
| where FileName =~ "termsrv.dll"
| where FolderPath !has "\\System32\\"
| extend DetectionType = "TermService_Non_Standard_DLL"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 4: Detect RDPWrap-style registry indicators
let RDPWrapReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any ("rdpwrap", "RDPWrap", "rdpwrapper")
    or (RegistryKey has "TermService" and RegistryValueName has_any ("LogFile", "SrvcDllInitRegs"))
| extend DetectionType = "RDPWrap_Registry_Indicator"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, DetectionType;
union TermsrvMod, TermServiceReg, TermServiceDLL, RDPWrapReg
| sort by Timestamp desc

high severity high confidence

Data Sources

File: File Modification Windows Registry: Registry Value Modification Module: Module Load Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceRegistryEvents DeviceImageLoadEvents

False Positives

Windows Update patching termsrv.dll via TrustedInstaller (expected — exclude by initiating process)
RDPWrap legitimate deployment by IT administrators to enable concurrent RDP sessions on Windows 10 workstations for remote support
Third-party remote access tools that integrate with or extend Terminal Services
Virtual desktop infrastructure (VDI) solutions that customize Terminal Services behavior

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
    EventCode=11 AND
      match(TargetFilename, "(?i)termsrv\.dll$") AND
      NOT match(Image, "(?i)(TrustedInstaller|wusa|dism|msiexec|setup|svchost)\.exe"),
      "TermSrv_DLL_File_Modified",
    EventCode=13 AND
      match(TargetObject, "(?i)TermService.*Parameters.*ServiceDll"),
      "TermService_ServiceDll_Registry_Modified",
    EventCode=7 AND
      match(CommandLine, "(?i)TermService") AND
      match(ImageLoaded, "(?i)termsrv\.dll") AND
      NOT match(ImageLoaded, "(?i)\\\\System32\\\\"),
      "TermService_Non_System32_DLL",
    EventCode IN (12,13) AND
      (match(TargetObject, "(?i)rdpwrap") OR
       (match(TargetObject, "(?i)TermService") AND
        match(TargetObject, "(?i)(LogFile|SrvcDllInitRegs)"))),
      "RDPWrap_Registry_Indicator",
    true(), null()
  )
| where isnotnull(detection_type)
| table _time, host, User, detection_type, Image, CommandLine, TargetFilename,
        TargetObject, Details, ImageLoaded
| sort - _time

high severity high confidence

Data Sources

File: File Modification Windows Registry: Registry Value Modification Module: Module Load Sysmon Event ID 7, 11, 12, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Windows Update patching termsrv.dll
Legitimate RDPWrap deployment for authorized concurrent RDP sessions
VDI solution customizations to Terminal Services

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [any where
    (event.category == "file" and event.action in ("creation", "modification") and
     file.name : "termsrv.dll" and
     not process.name : ("TrustedInstaller.exe", "wusa.exe", "dism.exe", "msiexec.exe", "setup.exe", "svchost.exe"))
  or
    (event.category == "registry" and event.action in ("modification", "creation") and
     registry.path : "*TermService*Parameters*ServiceDll*")
  or
    (event.category == "library" and
     process.command_line : "*TermService*" and
     file.name : "termsrv.dll" and
     not file.path : "*\\System32\\*")
  or
    (event.category == "registry" and
     (registry.path : "*rdpwrap*" or
      (registry.path : "*TermService*" and registry.path : ("*LogFile*", "*SrvcDllInitRegs*"))))
  ] by host.id

// Alternative flat query for broader coverage:
// any where
//   (event.category == "file" and file.name : "termsrv.dll" and not process.name : ("TrustedInstaller.exe","wusa.exe","dism.exe","msiexec.exe")) or
//   (event.category == "registry" and registry.path : "*TermService*Parameters*ServiceDll*") or
//   (event.category == "registry" and registry.path : "*rdpwrap*")

high severity high confidence

Data Sources

Windows Sysmon (Elastic Agent) Elastic Endpoint Security Windows Security Events

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.registry-* logs-endpoint.events.library-* logs-windows.sysmon_operational-*

False Positives

Legitimate Windows Update via TrustedInstaller.exe replacing termsrv.dll during a cumulative update cycle — verify SHA256 hash against Microsoft SSTP catalog
RDPWrap tool installed by IT administrators for legitimate multi-session RDP support on workstations — verify change management record and installer identity
DISM or SCCM deployment of Windows OS updates that modify termsrv.dll as part of an approved patch rollout

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "hostname",
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "TargetFilename",
  "TargetObject",
  "Image",
  "CommandLine",
  "Details",
  CASE
    WHEN UTF8(payload) LIKE '%termsrv.dll%'
         AND (QIDNAME(qid) LIKE '%FileCreate%' OR UTF8(payload) LIKE '%EventCode=11%')
         AND UTF8(payload) NOT LIKE '%TrustedInstaller%'
         AND UTF8(payload) NOT LIKE '%wusa.exe%'
         AND UTF8(payload) NOT LIKE '%dism.exe%'
         AND UTF8(payload) NOT LIKE '%msiexec.exe%'
      THEN 'TermSrv_DLL_File_Modified'
    WHEN UTF8(payload) LIKE '%TermService%Parameters%ServiceDll%'
         AND (QIDNAME(qid) LIKE '%RegistryValue%' OR UTF8(payload) LIKE '%EventCode=13%')
      THEN 'TermService_ServiceDll_Registry_Modified'
    WHEN UTF8(payload) LIKE '%termsrv.dll%'
         AND UTF8(payload) LIKE '%TermService%'
         AND UTF8(payload) NOT LIKE '%System32%'
         AND (QIDNAME(qid) LIKE '%ImageLoad%' OR UTF8(payload) LIKE '%EventCode=7%')
      THEN 'TermService_Non_System32_DLL'
    WHEN UTF8(payload) LIKE '%rdpwrap%'
         OR (UTF8(payload) LIKE '%TermService%'
             AND (UTF8(payload) LIKE '%LogFile%' OR UTF8(payload) LIKE '%SrvcDllInitRegs%'))
      THEN 'RDPWrap_Registry_Indicator'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 101, 397, 398)
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (UTF8(payload) LIKE '%termsrv.dll%')
    OR (UTF8(payload) LIKE '%TermService%Parameters%ServiceDll%')
    OR (UTF8(payload) LIKE '%rdpwrap%')
    OR (UTF8(payload) LIKE '%SrvcDllInitRegs%')
  )
HAVING detection_type IS NOT NULL
ORDER BY devicetime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Security Event Log DSM Sysmon DSM for QRadar

Required Tables

events

False Positives

Windows Update servicing stack (TrustedInstaller.exe) modifying termsrv.dll during Patch Tuesday rollout — correlate with change window and patch bulletin
Enterprise endpoint management tools (SCCM, Intune) deploying Windows feature updates that touch termsrv.dll as part of an approved deployment
Legitimate RDPWrap installation by IT helpdesk to enable concurrent remote sessions on developer workstations — validate against asset exception list

Sumo Logic CSE

sql

// T1505.005 — Terminal Services DLL persistence
// Source: Windows Sysmon via Sumo Logic
_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon"
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<Image>*</Image>" as image nodrop
| parse "<CommandLine>*</CommandLine>" as command_line nodrop
| parse "<TargetFilename>*</TargetFilename>" as target_filename nodrop
| parse "<TargetObject>*</TargetObject>" as target_object nodrop
| parse "<Details>*</Details>" as details nodrop
| parse "<ImageLoaded>*</ImageLoaded>" as image_loaded nodrop
| parse "<Computer>*</Computer>" as computer nodrop
| parse "<User>*</User>" as user nodrop
| where (
    // FileCreate — termsrv.dll modified by untrusted process
    (event_id = "11" and
     target_filename matches /(?i)termsrv\.dll$/ and
     !(image matches /(?i)(TrustedInstaller|wusa|dism|msiexec|setup|svchost)\.exe$/))
    or
    // RegistryValue — TermService ServiceDll key modified
    (event_id = "13" and
     target_object matches /(?i)TermService.*Parameters.*ServiceDll/)
    or
    // ImageLoad — termsrv.dll loaded from outside System32
    (event_id = "7" and
     command_line matches /(?i)TermService/ and
     image_loaded matches /(?i)termsrv\.dll$/ and
     !(image_loaded matches /(?i)\\System32\\/))
    or
    // Registry — RDPWrap indicators
    (event_id in ("12","13") and
     (target_object matches /(?i)rdpwrap/ or
      (target_object matches /(?i)TermService/ and
       target_object matches /(?i)(LogFile|SrvcDllInitRegs)/)))
  )
| eval detection_type = if(event_id = "11" and target_filename matches /(?i)termsrv\.dll$/,
    "TermSrv_DLL_File_Modified",
    if(event_id = "13" and target_object matches /(?i)TermService.*Parameters.*ServiceDll/,
      "TermService_ServiceDll_Registry_Modified",
      if(event_id = "7" and image_loaded matches /(?i)termsrv\.dll$/ and !(image_loaded matches /(?i)\\System32\\/),
        "TermService_Non_System32_DLL",
        "RDPWrap_Registry_Indicator"
      )
    )
  )
| fields _messageTime, computer, user, detection_type, event_id, image, command_line,
         target_filename, target_object, details, image_loaded
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon via Sumo Logic Installed Collector Sumo Logic Windows Source

Required Tables

windows/sysmon WinEventLog/Sysmon

False Positives

Windows Update or CBS servicing operations that replace termsrv.dll during patch application — the initiating process will be TrustedInstaller.exe which is excluded, but validate timestamps match patch windows
In-place Windows upgrade or repair installation touching termsrv.dll via setup.exe or dism.exe — excluded by default but verify context
Legitimate RDPWrap deployment for IT remote support on workstations — the rdpwrap registry key pattern will fire; verify installer provenance and approval

Google Chronicle / SecOps

yaral

rule t1505_005_terminal_services_dll_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Terminal Services DLL persistence: termsrv.dll modification, TermService ServiceDll registry tampering, non-System32 DLL loads for TermService, and RDPWrap registry indicators (MITRE T1505.005)"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1505.005"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-20"

  events:
    (
      // Pattern 1: termsrv.dll file modification by untrusted process
      ($e.metadata.event_type = "FILE_MODIFICATION" or $e.metadata.event_type = "FILE_CREATION") and
      re.regex($e.target.file.full_path, `(?i)termsrv\.dll$`) and
      not re.regex($e.principal.process.file.full_path, `(?i)(TrustedInstaller|wusa|dism|msiexec|setup|svchost)\.exe$`)
    ) or
    (
      // Pattern 2: TermService ServiceDll registry modification
      $e.metadata.event_type = "REGISTRY_MODIFICATION" and
      re.regex($e.target.registry.registry_key, `(?i)TermService.*Parameters`) and
      re.regex($e.target.registry.registry_value_name, `(?i)ServiceDll`)
    ) or
    (
      // Pattern 3: TermService loading termsrv.dll from non-System32 path
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.principal.process.command_line, `(?i)TermService`) and
      re.regex($e.target.file.full_path, `(?i)termsrv\.dll$`) and
      not re.regex($e.target.file.full_path, `(?i)\\System32\\`)
    ) or
    (
      // Pattern 4: RDPWrap registry indicators
      $e.metadata.event_type = "REGISTRY_MODIFICATION" and
      (
        re.regex($e.target.registry.registry_key, `(?i)rdpwrap`) or
        (
          re.regex($e.target.registry.registry_key, `(?i)TermService`) and
          re.regex($e.target.registry.registry_key, `(?i)(LogFile|SrvcDllInitRegs)`)
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Sysmon via Chronicle Forwarder Google Chronicle Unified Data Model (UDM)

Required Tables

UDM Events (FILE_MODIFICATION, FILE_CREATION, REGISTRY_MODIFICATION, PROCESS_LAUNCH)

False Positives

Legitimate Windows servicing via TrustedInstaller replacing termsrv.dll during cumulative updates — excluded by process name filter; validate against patch deployment schedule
RDPWrap utility legitimately installed and configured by IT teams for multi-session remote access on non-server Windows editions — Pattern 4 will fire; maintain an approved-host exception list
Security tools or EDR agents that monitor or snapshot termsrv.dll and generate file read/write telemetry as part of integrity checking processes

CrowdStrike LogScale (CQL)

cql

// T1505.005 — Terminal Services DLL Persistence
// Pattern 1: termsrv.dll file write by untrusted process
#event_simpleName IN ("FileOpenInfo", "FileWrittenInfo")
| TargetFileName = /(?i)termsrv\.dll$/
| ImageFileName != /(?i)(TrustedInstaller|wusa|dism|msiexec|setup|svchost)\.exe$/
| eval detection_type = "TermSrv_DLL_File_Modified"
| table [@timestamp, ComputerName, UserName, detection_type, ImageFileName, CommandLine, TargetFileName]

// Union Pattern 2: TermService ServiceDll registry key modification
| union [
  #event_simpleName IN ("RegSetValue", "RegCreateKey")
  | RegObjectName = /(?i)TermService.*Parameters/
  | RegValueName = /(?i)ServiceDll/i
  | eval detection_type = "TermService_ServiceDll_Registry_Modified"
  | table [@timestamp, ComputerName, UserName, detection_type, ImageFileName, CommandLine,
           RegObjectName, RegValueName, RegStringValue]
]

// Union Pattern 3: termsrv.dll loaded from non-System32 path
| union [
  #event_simpleName = "ClassifiedModuleLoad"
  | CommandLine = /(?i)TermService/
  | ModuleFileName = /(?i)termsrv\.dll$/
  | ModuleFileName != /(?i)\\System32\\/
  | eval detection_type = "TermService_Non_System32_DLL"
  | table [@timestamp, ComputerName, UserName, detection_type, ImageFileName, CommandLine,
           ModuleFileName]
]

// Union Pattern 4: RDPWrap registry indicators
| union [
  #event_simpleName IN ("RegSetValue", "RegCreateKey")
  | (RegObjectName = /(?i)rdpwrap/
     OR (RegObjectName = /(?i)TermService/ AND RegObjectName = /(?i)(LogFile|SrvcDllInitRegs)/))
  | eval detection_type = "RDPWrap_Registry_Indicator"
  | table [@timestamp, ComputerName, UserName, detection_type, ImageFileName,
           RegObjectName, RegValueName, RegStringValue]
]

| sort @timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon Data Replicator (FDR) CrowdStrike LogScale SIEM

Required Tables

FileWrittenInfo FileOpenInfo RegSetValue RegCreateKey ClassifiedModuleLoad

False Positives

Windows CBS/TrustedInstaller operations patching termsrv.dll during cumulative update deployment — excluded by process filter; correlate FileWrittenInfo events with patch deployment window records in CMDB
CrowdStrike Falcon sensor itself performing integrity checks on termsrv.dll that generate FileOpenInfo events — validate that ImageFileName matches Falcon sensor binary path
Legitimate RDPWrap installation generating RegCreateKey events under TermService and rdpwrap registry paths — verify installer was executed by an authorized administrator account and cross-check with ticketing system

Terminal Services DLL

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections