Detect Terminal Services DLL in Splunk
Adversaries modify or replace the Terminal Services DLL (termsrv.dll) to establish persistence or enable unauthorized RDP capabilities. The ServiceDll registry value at HKLM\System\CurrentControlSet\services\TermService\Parameters\ServiceDll points to termsrv.dll. Attackers can patch termsrv.dll to enable multiple concurrent RDP sessions on non-server editions, or redirect the ServiceDll to a malicious DLL that executes arbitrary code when the Remote Desktop Service starts. RDPWrap abuses this mechanism legitimately; attackers weaponize the same technique.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.005 Terminal Services DLL
- Canonical reference
- https://attack.mitre.org/techniques/T1505/005/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
EventCode=11 AND
match(TargetFilename, "(?i)termsrv\.dll$") AND
NOT match(Image, "(?i)(TrustedInstaller|wusa|dism|msiexec|setup|svchost)\.exe"),
"TermSrv_DLL_File_Modified",
EventCode=13 AND
match(TargetObject, "(?i)TermService.*Parameters.*ServiceDll"),
"TermService_ServiceDll_Registry_Modified",
EventCode=7 AND
match(CommandLine, "(?i)TermService") AND
match(ImageLoaded, "(?i)termsrv\.dll") AND
NOT match(ImageLoaded, "(?i)\\\\System32\\\\"),
"TermService_Non_System32_DLL",
EventCode IN (12,13) AND
(match(TargetObject, "(?i)rdpwrap") OR
(match(TargetObject, "(?i)TermService") AND
match(TargetObject, "(?i)(LogFile|SrvcDllInitRegs)"))),
"RDPWrap_Registry_Indicator",
true(), null()
)
| where isnotnull(detection_type)
| table _time, host, User, detection_type, Image, CommandLine, TargetFilename,
TargetObject, Details, ImageLoaded
| sort - _timeDetects Terminal Services DLL persistence via Sysmon. EventCode 11 monitors termsrv.dll file modifications by non-system processes. EventCode 13 catches TermService ServiceDll registry key modification. EventCode 7 detects termsrv.dll loaded from outside System32 by TermService svchost. EventCodes 12/13 detect RDPWrap registry artifacts.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Windows Update patching termsrv.dll
- Legitimate RDPWrap deployment for authorized concurrent RDP sessions
- VDI solution customizations to Terminal Services
Other platforms for T1505.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Query TermService ServiceDll Registry Value
Expected signal: Sysmon EventCode 1: reg.exe process creation with TermService command line. No system changes made.
- Test 2Simulate ServiceDll Registry Modification (Test)
Expected signal: Sysmon EventCode 13: RegistryValueSet for TermService\Parameters\ServiceDll with non-standard value. Security Event 4657 (Registry value modified) if registry auditing is enabled.
- Test 3Hash termsrv.dll and Validate Signature
Expected signal: Sysmon EventCode 1: powershell.exe with Get-FileHash command. File access to termsrv.dll.
Unlock Pro Content
Get the full detection package for T1505.005 including response playbook, investigation guide, and atomic red team tests.