T1505.005 IBM QRadar · QRadar

Detect Terminal Services DLL in IBM QRadar

Adversaries modify or replace the Terminal Services DLL (termsrv.dll) to establish persistence or enable unauthorized RDP capabilities. The ServiceDll registry value at HKLM\System\CurrentControlSet\services\TermService\Parameters\ServiceDll points to termsrv.dll. Attackers can patch termsrv.dll to enable multiple concurrent RDP sessions on non-server editions, or redirect the ServiceDll to a malicious DLL that executes arbitrary code when the Remote Desktop Service starts. RDPWrap abuses this mechanism legitimately; attackers weaponize the same technique.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.005 Terminal Services DLL
Canonical reference
https://attack.mitre.org/techniques/T1505/005/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "hostname",
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "TargetFilename",
  "TargetObject",
  "Image",
  "CommandLine",
  "Details",
  CASE
    WHEN UTF8(payload) LIKE '%termsrv.dll%'
         AND (QIDNAME(qid) LIKE '%FileCreate%' OR UTF8(payload) LIKE '%EventCode=11%')
         AND UTF8(payload) NOT LIKE '%TrustedInstaller%'
         AND UTF8(payload) NOT LIKE '%wusa.exe%'
         AND UTF8(payload) NOT LIKE '%dism.exe%'
         AND UTF8(payload) NOT LIKE '%msiexec.exe%'
      THEN 'TermSrv_DLL_File_Modified'
    WHEN UTF8(payload) LIKE '%TermService%Parameters%ServiceDll%'
         AND (QIDNAME(qid) LIKE '%RegistryValue%' OR UTF8(payload) LIKE '%EventCode=13%')
      THEN 'TermService_ServiceDll_Registry_Modified'
    WHEN UTF8(payload) LIKE '%termsrv.dll%'
         AND UTF8(payload) LIKE '%TermService%'
         AND UTF8(payload) NOT LIKE '%System32%'
         AND (QIDNAME(qid) LIKE '%ImageLoad%' OR UTF8(payload) LIKE '%EventCode=7%')
      THEN 'TermService_Non_System32_DLL'
    WHEN UTF8(payload) LIKE '%rdpwrap%'
         OR (UTF8(payload) LIKE '%TermService%'
             AND (UTF8(payload) LIKE '%LogFile%' OR UTF8(payload) LIKE '%SrvcDllInitRegs%'))
      THEN 'RDPWrap_Registry_Indicator'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 101, 397, 398)
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (UTF8(payload) LIKE '%termsrv.dll%')
    OR (UTF8(payload) LIKE '%TermService%Parameters%ServiceDll%')
    OR (UTF8(payload) LIKE '%rdpwrap%')
    OR (UTF8(payload) LIKE '%SrvcDllInitRegs%')
  )
HAVING detection_type IS NOT NULL
ORDER BY devicetime DESC
LAST 24 HOURS
high severity medium confidence

AQL query against Sysmon and Windows Security event sources identifying termsrv.dll file modification, TermService ServiceDll registry tampering, non-System32 DLL loads for TermService, and RDPWrap registry indicators. LOGSOURCETYPEID values cover Microsoft Windows Security Event Log (12), Microsoft Windows (101), and Sysmon sources.

Data Sources

IBM QRadar SIEMMicrosoft Windows Security Event Log DSMSysmon DSM for QRadar

Required Tables

events

False Positives & Tuning

  • Windows Update servicing stack (TrustedInstaller.exe) modifying termsrv.dll during Patch Tuesday rollout — correlate with change window and patch bulletin
  • Enterprise endpoint management tools (SCCM, Intune) deploying Windows feature updates that touch termsrv.dll as part of an approved deployment
  • Legitimate RDPWrap installation by IT helpdesk to enable concurrent remote sessions on developer workstations — validate against asset exception list
Download portable Sigma rule (.yml)

Other platforms for T1505.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Query TermService ServiceDll Registry Value

    Expected signal: Sysmon EventCode 1: reg.exe process creation with TermService command line. No system changes made.

  2. Test 2Simulate ServiceDll Registry Modification (Test)

    Expected signal: Sysmon EventCode 13: RegistryValueSet for TermService\Parameters\ServiceDll with non-standard value. Security Event 4657 (Registry value modified) if registry auditing is enabled.

  3. Test 3Hash termsrv.dll and Validate Signature

    Expected signal: Sysmon EventCode 1: powershell.exe with Get-FileHash command. File access to termsrv.dll.

Last updated: 2026-04-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1505.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.003Web ShellT1505.004IIS ComponentsT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1021.001Remote Desktop ProtocolT1543.003Windows ServiceT1112Modify RegistryT1574.001DLL

Same Tactic: Persistence

Popular Detections