T1505.005 Google Chronicle · YARA-L

Detect Terminal Services DLL in Google Chronicle

Adversaries modify or replace the Terminal Services DLL (termsrv.dll) to establish persistence or enable unauthorized RDP capabilities. The ServiceDll registry value at HKLM\System\CurrentControlSet\services\TermService\Parameters\ServiceDll points to termsrv.dll. Attackers can patch termsrv.dll to enable multiple concurrent RDP sessions on non-server editions, or redirect the ServiceDll to a malicious DLL that executes arbitrary code when the Remote Desktop Service starts. RDPWrap abuses this mechanism legitimately; attackers weaponize the same technique.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.005 Terminal Services DLL
Canonical reference
https://attack.mitre.org/techniques/T1505/005/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1505_005_terminal_services_dll_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Terminal Services DLL persistence: termsrv.dll modification, TermService ServiceDll registry tampering, non-System32 DLL loads for TermService, and RDPWrap registry indicators (MITRE T1505.005)"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1505.005"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-20"

  events:
    (
      // Pattern 1: termsrv.dll file modification by untrusted process
      ($e.metadata.event_type = "FILE_MODIFICATION" or $e.metadata.event_type = "FILE_CREATION") and
      re.regex($e.target.file.full_path, `(?i)termsrv\.dll$`) and
      not re.regex($e.principal.process.file.full_path, `(?i)(TrustedInstaller|wusa|dism|msiexec|setup|svchost)\.exe$`)
    ) or
    (
      // Pattern 2: TermService ServiceDll registry modification
      $e.metadata.event_type = "REGISTRY_MODIFICATION" and
      re.regex($e.target.registry.registry_key, `(?i)TermService.*Parameters`) and
      re.regex($e.target.registry.registry_value_name, `(?i)ServiceDll`)
    ) or
    (
      // Pattern 3: TermService loading termsrv.dll from non-System32 path
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.principal.process.command_line, `(?i)TermService`) and
      re.regex($e.target.file.full_path, `(?i)termsrv\.dll$`) and
      not re.regex($e.target.file.full_path, `(?i)\\System32\\`)
    ) or
    (
      // Pattern 4: RDPWrap registry indicators
      $e.metadata.event_type = "REGISTRY_MODIFICATION" and
      (
        re.regex($e.target.registry.registry_key, `(?i)rdpwrap`) or
        (
          re.regex($e.target.registry.registry_key, `(?i)TermService`) and
          re.regex($e.target.registry.registry_key, `(?i)(LogFile|SrvcDllInitRegs)`)
        )
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting all four T1505.005 sub-patterns using UDM event model: termsrv.dll file write by non-trusted processes, TermService ServiceDll registry value modification, non-System32 DLL path loading for TermService process, and RDPWrap-specific registry key creation/modification.

Data Sources

Google Chronicle SIEMWindows Sysmon via Chronicle ForwarderGoogle Chronicle Unified Data Model (UDM)

Required Tables

UDM Events (FILE_MODIFICATION, FILE_CREATION, REGISTRY_MODIFICATION, PROCESS_LAUNCH)

False Positives & Tuning

  • Legitimate Windows servicing via TrustedInstaller replacing termsrv.dll during cumulative updates — excluded by process name filter; validate against patch deployment schedule
  • RDPWrap utility legitimately installed and configured by IT teams for multi-session remote access on non-server Windows editions — Pattern 4 will fire; maintain an approved-host exception list
  • Security tools or EDR agents that monitor or snapshot termsrv.dll and generate file read/write telemetry as part of integrity checking processes
Download portable Sigma rule (.yml)

Other platforms for T1505.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Query TermService ServiceDll Registry Value

    Expected signal: Sysmon EventCode 1: reg.exe process creation with TermService command line. No system changes made.

  2. Test 2Simulate ServiceDll Registry Modification (Test)

    Expected signal: Sysmon EventCode 13: RegistryValueSet for TermService\Parameters\ServiceDll with non-standard value. Security Event 4657 (Registry value modified) if registry auditing is enabled.

  3. Test 3Hash termsrv.dll and Validate Signature

    Expected signal: Sysmon EventCode 1: powershell.exe with Get-FileHash command. File access to termsrv.dll.

Last updated: 2026-04-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1505.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.003Web ShellT1505.004IIS ComponentsT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1021.001Remote Desktop ProtocolT1543.003Windows ServiceT1112Modify RegistryT1574.001DLL

Same Tactic: Persistence

Popular Detections