T1505.005 Microsoft Sentinel · KQL

Detect Terminal Services DLL in Microsoft Sentinel

Adversaries modify or replace the Terminal Services DLL (termsrv.dll) to establish persistence or enable unauthorized RDP capabilities. The ServiceDll registry value at HKLM\System\CurrentControlSet\services\TermService\Parameters\ServiceDll points to termsrv.dll. Attackers can patch termsrv.dll to enable multiple concurrent RDP sessions on non-server editions, or redirect the ServiceDll to a malicious DLL that executes arbitrary code when the Remote Desktop Service starts. RDPWrap abuses this mechanism legitimately; attackers weaponize the same technique.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.005 Terminal Services DLL
Canonical reference
https://attack.mitre.org/techniques/T1505/005/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1505.005 — Terminal Services DLL persistence detection
// Monitor termsrv.dll modification and ServiceDll registry key changes
// Part 1: Detect modification of termsrv.dll
let TermsrvMod = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName =~ "termsrv.dll"
| where ActionType in ("FileModified", "FileCreated")
| where InitiatingProcessFileName !in~ ("TrustedInstaller.exe", "wusa.exe", "dism.exe",
                                         "msiexec.exe", "setup.exe", "svchost.exe")
| extend DetectionType = "TermSrv_DLL_Modified"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect TermService ServiceDll registry key modification
let TermServiceReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_all ("TermService", "Parameters")
| where RegistryValueName =~ "ServiceDll"
| extend DetectionType = "TermService_ServiceDll_Modified"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect suspicious DLLs loaded by svchost.exe for TermService
let TermServiceDLL = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessCommandLine has "TermService"
| where FileName =~ "termsrv.dll"
| where FolderPath !has "\\System32\\"
| extend DetectionType = "TermService_Non_Standard_DLL"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 4: Detect RDPWrap-style registry indicators
let RDPWrapReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any ("rdpwrap", "RDPWrap", "rdpwrapper")
    or (RegistryKey has "TermService" and RegistryValueName has_any ("LogFile", "SrvcDllInitRegs"))
| extend DetectionType = "RDPWrap_Registry_Indicator"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, DetectionType;
union TermsrvMod, TermServiceReg, TermServiceDLL, RDPWrapReg
| sort by Timestamp desc
high severity high confidence

Four-part detection for Terminal Services DLL persistence. Part 1 detects direct modification of termsrv.dll by non-system processes. Part 2 monitors the TermService ServiceDll registry key for redirection to a non-standard DLL path. Part 3 catches svchost.exe (running TermService) loading termsrv.dll from outside System32. Part 4 detects RDPWrap-specific registry indicators which indicate the legitimate tool being used for unauthorized RDP session enablement.

Data Sources

File: File ModificationWindows Registry: Registry Value ModificationModule: Module LoadMicrosoft Defender for Endpoint

Required Tables

DeviceFileEventsDeviceRegistryEventsDeviceImageLoadEvents

False Positives & Tuning

  • Windows Update patching termsrv.dll via TrustedInstaller (expected — exclude by initiating process)
  • RDPWrap legitimate deployment by IT administrators to enable concurrent RDP sessions on Windows 10 workstations for remote support
  • Third-party remote access tools that integrate with or extend Terminal Services
  • Virtual desktop infrastructure (VDI) solutions that customize Terminal Services behavior
Download portable Sigma rule (.yml)

Other platforms for T1505.005

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Query TermService ServiceDll Registry Value

    Expected signal: Sysmon EventCode 1: reg.exe process creation with TermService command line. No system changes made.

  2. Test 2Simulate ServiceDll Registry Modification (Test)

    Expected signal: Sysmon EventCode 13: RegistryValueSet for TermService\Parameters\ServiceDll with non-standard value. Security Event 4657 (Registry value modified) if registry auditing is enabled.

  3. Test 3Hash termsrv.dll and Validate Signature

    Expected signal: Sysmon EventCode 1: powershell.exe with Get-FileHash command. File access to termsrv.dll.

Last updated: 2026-04-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1505.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.003Web ShellT1505.004IIS ComponentsT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1021.001Remote Desktop ProtocolT1543.003Windows ServiceT1112Modify RegistryT1574.001DLL

Same Tactic: Persistence

Popular Detections