Skip to content

DET0212 Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows)

Item Value
ID DET0212
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1505.005 (Terminal Services DLL)

Analytics

Windows

AN0595

Adversary modifies or replaces the Terminal Services DLL (termsrv.dll) or changes the associated ServiceDll Registry value to load an arbitrary or patched DLL that enables persistent and enhanced RDP access. This may include binary replacement, registry tampering, and unexpected module loads by the svchost.exe -k termsvcs process.

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
TargetDLLPath Defenders may tune for non-standard DLLs loaded by svchost.exe or termsrv.exe processes.
RegistryKeyTarget Environment-specific variations in the path to ServiceDll registry key (e.g., nested group policies).
TimeWindow Correlation time window for registry change followed by DLL load or svchost restart.
ParentProcessName Some environments may spawn registry changes from automation tools or administrative scripts.