title: Terminal Services DLL (T1505.005)
id: df00tech-t1505-005
status: experimental
description: "Adversaries modify or replace the Terminal Services DLL (termsrv.dll) to establish persistence or enable unauthorized RDP capabilities. The ServiceDll registry value at HKLM\\System\\CurrentControlSet\\services\\TermService\\Parameters\\ServiceDll points to termsrv.dll. Attackers can patch termsrv.dll to enable multiple concurrent RDP sessions on non-server editions, or redirect the ServiceDll to a malicious DLL that executes arbitrary code when the Remote Desktop Service starts. RDPWrap abuses this mechanism legitimately; attackers weaponize the same technique."
references:
  - https://attack.mitre.org/techniques/T1505/005/
  - https://df00tech.com/detections/T1505.005
author: df00tech
date: 2026/04/20
tags:
  - attack.t1505.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Windows Update patching termsrv.dll via TrustedInstaller (expected — exclude by initiating process)
  - RDPWrap legitimate deployment by IT administrators to enable concurrent RDP sessions on Windows 10 workstations for remote support
  - Third-party remote access tools that integrate with or extend Terminal Services
  - Virtual desktop infrastructure (VDI) solutions that customize Terminal Services behavior
level: high