T1505.005 Sumo Logic CSE · Sumo

Detect Terminal Services DLL in Sumo Logic CSE

Adversaries modify or replace the Terminal Services DLL (termsrv.dll) to establish persistence or enable unauthorized RDP capabilities. The ServiceDll registry value at HKLM\System\CurrentControlSet\services\TermService\Parameters\ServiceDll points to termsrv.dll. Attackers can patch termsrv.dll to enable multiple concurrent RDP sessions on non-server editions, or redirect the ServiceDll to a malicious DLL that executes arbitrary code when the Remote Desktop Service starts. RDPWrap abuses this mechanism legitimately; attackers weaponize the same technique.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.005 Terminal Services DLL
Canonical reference
https://attack.mitre.org/techniques/T1505/005/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
// T1505.005 — Terminal Services DLL persistence
// Source: Windows Sysmon via Sumo Logic
_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon"
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<Image>*</Image>" as image nodrop
| parse "<CommandLine>*</CommandLine>" as command_line nodrop
| parse "<TargetFilename>*</TargetFilename>" as target_filename nodrop
| parse "<TargetObject>*</TargetObject>" as target_object nodrop
| parse "<Details>*</Details>" as details nodrop
| parse "<ImageLoaded>*</ImageLoaded>" as image_loaded nodrop
| parse "<Computer>*</Computer>" as computer nodrop
| parse "<User>*</User>" as user nodrop
| where (
    // FileCreate — termsrv.dll modified by untrusted process
    (event_id = "11" and
     target_filename matches /(?i)termsrv\.dll$/ and
     !(image matches /(?i)(TrustedInstaller|wusa|dism|msiexec|setup|svchost)\.exe$/))
    or
    // RegistryValue — TermService ServiceDll key modified
    (event_id = "13" and
     target_object matches /(?i)TermService.*Parameters.*ServiceDll/)
    or
    // ImageLoad — termsrv.dll loaded from outside System32
    (event_id = "7" and
     command_line matches /(?i)TermService/ and
     image_loaded matches /(?i)termsrv\.dll$/ and
     !(image_loaded matches /(?i)\\System32\\/))
    or
    // Registry — RDPWrap indicators
    (event_id in ("12","13") and
     (target_object matches /(?i)rdpwrap/ or
      (target_object matches /(?i)TermService/ and
       target_object matches /(?i)(LogFile|SrvcDllInitRegs)/)))
  )
| eval detection_type = if(event_id = "11" and target_filename matches /(?i)termsrv\.dll$/,
    "TermSrv_DLL_File_Modified",
    if(event_id = "13" and target_object matches /(?i)TermService.*Parameters.*ServiceDll/,
      "TermService_ServiceDll_Registry_Modified",
      if(event_id = "7" and image_loaded matches /(?i)termsrv\.dll$/ and !(image_loaded matches /(?i)\\System32\\/),
        "TermService_Non_System32_DLL",
        "RDPWrap_Registry_Indicator"
      )
    )
  )
| fields _messageTime, computer, user, detection_type, event_id, image, command_line,
         target_filename, target_object, details, image_loaded
| sort by _messageTime desc
high severity high confidence

Sumo Logic query against Windows Sysmon telemetry detecting four T1505.005 sub-patterns: termsrv.dll file modification by untrusted processes (EventID 11), TermService ServiceDll registry changes (EventID 13), non-System32 TermService DLL loads (EventID 7), and RDPWrap registry indicators (EventIDs 12/13).

Data Sources

Sumo Logic Cloud SIEMWindows Sysmon via Sumo Logic Installed CollectorSumo Logic Windows Source

Required Tables

windows/sysmonWinEventLog/Sysmon

False Positives & Tuning

  • Windows Update or CBS servicing operations that replace termsrv.dll during patch application — the initiating process will be TrustedInstaller.exe which is excluded, but validate timestamps match patch windows
  • In-place Windows upgrade or repair installation touching termsrv.dll via setup.exe or dism.exe — excluded by default but verify context
  • Legitimate RDPWrap deployment for IT remote support on workstations — the rdpwrap registry key pattern will fire; verify installer provenance and approval
Download portable Sigma rule (.yml)

Other platforms for T1505.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Query TermService ServiceDll Registry Value

    Expected signal: Sysmon EventCode 1: reg.exe process creation with TermService command line. No system changes made.

  2. Test 2Simulate ServiceDll Registry Modification (Test)

    Expected signal: Sysmon EventCode 13: RegistryValueSet for TermService\Parameters\ServiceDll with non-standard value. Security Event 4657 (Registry value modified) if registry auditing is enabled.

  3. Test 3Hash termsrv.dll and Validate Signature

    Expected signal: Sysmon EventCode 1: powershell.exe with Get-FileHash command. File access to termsrv.dll.

Last updated: 2026-04-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1505.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.003Web ShellT1505.004IIS ComponentsT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1021.001Remote Desktop ProtocolT1543.003Windows ServiceT1112Modify RegistryT1574.001DLL

Same Tactic: Persistence

Popular Detections