Detect Terminal Services DLL in Elastic Security
Adversaries modify or replace the Terminal Services DLL (termsrv.dll) to establish persistence or enable unauthorized RDP capabilities. The ServiceDll registry value at HKLM\System\CurrentControlSet\services\TermService\Parameters\ServiceDll points to termsrv.dll. Attackers can patch termsrv.dll to enable multiple concurrent RDP sessions on non-server editions, or redirect the ServiceDll to a malicious DLL that executes arbitrary code when the Remote Desktop Service starts. RDPWrap abuses this mechanism legitimately; attackers weaponize the same technique.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.005 Terminal Services DLL
- Canonical reference
- https://attack.mitre.org/techniques/T1505/005/
Elastic Detection Query
sequence by host.name with maxspan=5m
[any where
(event.category == "file" and event.action in ("creation", "modification") and
file.name : "termsrv.dll" and
not process.name : ("TrustedInstaller.exe", "wusa.exe", "dism.exe", "msiexec.exe", "setup.exe", "svchost.exe"))
or
(event.category == "registry" and event.action in ("modification", "creation") and
registry.path : "*TermService*Parameters*ServiceDll*")
or
(event.category == "library" and
process.command_line : "*TermService*" and
file.name : "termsrv.dll" and
not file.path : "*\\System32\\*")
or
(event.category == "registry" and
(registry.path : "*rdpwrap*" or
(registry.path : "*TermService*" and registry.path : ("*LogFile*", "*SrvcDllInitRegs*"))))
] by host.id
// Alternative flat query for broader coverage:
// any where
// (event.category == "file" and file.name : "termsrv.dll" and not process.name : ("TrustedInstaller.exe","wusa.exe","dism.exe","msiexec.exe")) or
// (event.category == "registry" and registry.path : "*TermService*Parameters*ServiceDll*") or
// (event.category == "registry" and registry.path : "*rdpwrap*")Detects Terminal Services DLL persistence via termsrv.dll modification, TermService ServiceDll registry changes, non-System32 DLL loads for TermService, and RDPWrap-style registry indicators. Covers all four detection patterns from the reference KQL/SPL.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Windows Update via TrustedInstaller.exe replacing termsrv.dll during a cumulative update cycle — verify SHA256 hash against Microsoft SSTP catalog
- RDPWrap tool installed by IT administrators for legitimate multi-session RDP support on workstations — verify change management record and installer identity
- DISM or SCCM deployment of Windows OS updates that modify termsrv.dll as part of an approved patch rollout
Other platforms for T1505.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Query TermService ServiceDll Registry Value
Expected signal: Sysmon EventCode 1: reg.exe process creation with TermService command line. No system changes made.
- Test 2Simulate ServiceDll Registry Modification (Test)
Expected signal: Sysmon EventCode 13: RegistryValueSet for TermService\Parameters\ServiceDll with non-standard value. Security Event 4657 (Registry value modified) if registry auditing is enabled.
- Test 3Hash termsrv.dll and Validate Signature
Expected signal: Sysmon EventCode 1: powershell.exe with Get-FileHash command. File access to termsrv.dll.
Unlock Pro Content
Get the full detection package for T1505.005 including response playbook, investigation guide, and atomic red team tests.