T1505.005 CrowdStrike LogScale · LogScale

Detect Terminal Services DLL in CrowdStrike LogScale

Adversaries modify or replace the Terminal Services DLL (termsrv.dll) to establish persistence or enable unauthorized RDP capabilities. The ServiceDll registry value at HKLM\System\CurrentControlSet\services\TermService\Parameters\ServiceDll points to termsrv.dll. Attackers can patch termsrv.dll to enable multiple concurrent RDP sessions on non-server editions, or redirect the ServiceDll to a malicious DLL that executes arbitrary code when the Remote Desktop Service starts. RDPWrap abuses this mechanism legitimately; attackers weaponize the same technique.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.005 Terminal Services DLL
Canonical reference
https://attack.mitre.org/techniques/T1505/005/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1505.005 — Terminal Services DLL Persistence
// Pattern 1: termsrv.dll file write by untrusted process
#event_simpleName IN ("FileOpenInfo", "FileWrittenInfo")
| TargetFileName = /(?i)termsrv\.dll$/
| ImageFileName != /(?i)(TrustedInstaller|wusa|dism|msiexec|setup|svchost)\.exe$/
| eval detection_type = "TermSrv_DLL_File_Modified"
| table [@timestamp, ComputerName, UserName, detection_type, ImageFileName, CommandLine, TargetFileName]

// Union Pattern 2: TermService ServiceDll registry key modification
| union [
  #event_simpleName IN ("RegSetValue", "RegCreateKey")
  | RegObjectName = /(?i)TermService.*Parameters/
  | RegValueName = /(?i)ServiceDll/i
  | eval detection_type = "TermService_ServiceDll_Registry_Modified"
  | table [@timestamp, ComputerName, UserName, detection_type, ImageFileName, CommandLine,
           RegObjectName, RegValueName, RegStringValue]
]

// Union Pattern 3: termsrv.dll loaded from non-System32 path
| union [
  #event_simpleName = "ClassifiedModuleLoad"
  | CommandLine = /(?i)TermService/
  | ModuleFileName = /(?i)termsrv\.dll$/
  | ModuleFileName != /(?i)\\System32\\/
  | eval detection_type = "TermService_Non_System32_DLL"
  | table [@timestamp, ComputerName, UserName, detection_type, ImageFileName, CommandLine,
           ModuleFileName]
]

// Union Pattern 4: RDPWrap registry indicators
| union [
  #event_simpleName IN ("RegSetValue", "RegCreateKey")
  | (RegObjectName = /(?i)rdpwrap/
     OR (RegObjectName = /(?i)TermService/ AND RegObjectName = /(?i)(LogFile|SrvcDllInitRegs)/))
  | eval detection_type = "RDPWrap_Registry_Indicator"
  | table [@timestamp, ComputerName, UserName, detection_type, ImageFileName,
           RegObjectName, RegValueName, RegStringValue]
]

| sort @timestamp desc
high severity high confidence

CrowdStrike LogScale (CQL) query using Falcon sensor event types to detect T1505.005 across four patterns: termsrv.dll file write by non-trusted processes (FileWrittenInfo/FileOpenInfo), TermService ServiceDll registry value tampering (RegSetValue/RegCreateKey), non-System32 DLL module loads for TermService (ClassifiedModuleLoad), and RDPWrap registry key creation/modification.

Data Sources

CrowdStrike Falcon Endpoint ProtectionCrowdStrike Falcon Data Replicator (FDR)CrowdStrike LogScale SIEM

Required Tables

FileWrittenInfoFileOpenInfoRegSetValueRegCreateKeyClassifiedModuleLoad

False Positives & Tuning

  • Windows CBS/TrustedInstaller operations patching termsrv.dll during cumulative update deployment — excluded by process filter; correlate FileWrittenInfo events with patch deployment window records in CMDB
  • CrowdStrike Falcon sensor itself performing integrity checks on termsrv.dll that generate FileOpenInfo events — validate that ImageFileName matches Falcon sensor binary path
  • Legitimate RDPWrap installation generating RegCreateKey events under TermService and rdpwrap registry paths — verify installer was executed by an authorized administrator account and cross-check with ticketing system
Download portable Sigma rule (.yml)

Other platforms for T1505.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Query TermService ServiceDll Registry Value

    Expected signal: Sysmon EventCode 1: reg.exe process creation with TermService command line. No system changes made.

  2. Test 2Simulate ServiceDll Registry Modification (Test)

    Expected signal: Sysmon EventCode 13: RegistryValueSet for TermService\Parameters\ServiceDll with non-standard value. Security Event 4657 (Registry value modified) if registry auditing is enabled.

  3. Test 3Hash termsrv.dll and Validate Signature

    Expected signal: Sysmon EventCode 1: powershell.exe with Get-FileHash command. File access to termsrv.dll.

Last updated: 2026-04-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1505.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.003Web ShellT1505.004IIS ComponentsT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1021.001Remote Desktop ProtocolT1543.003Windows ServiceT1112Modify RegistryT1574.001DLL

Same Tactic: Persistence

Popular Detections