Skip to content

T1505.005 Terminal Services DLL

Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.3

Windows Services that are run as a “generic” process (ex: svchost.exe) load the service’s DLL file, the location of which is stored in a Registry entry named ServiceDll.2 The termsrv.dll file, typically stored in %SystemRoot%\System32\, is the default ServiceDll value for Terminal Services in HKLM\System\CurrentControlSet\services\TermService\Parameters\.

Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.1 Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal termsrv.dll functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent Remote Desktop Protocol sessions by either patching the termsrv.dll file or modifying the ServiceDll value to point to a DLL that provides increased RDP functionality.54 On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.

Item Value
ID T1505.005
Sub-techniques T1505.001, T1505.002, T1505.003, T1505.004, T1505.005
Tactics TA0003
Platforms Windows
Version 1.0
Created 28 March 2022
Last Modified 18 April 2022


ID Mitigation Description
M1047 Audit Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.
M1024 Restrict Registry Permissions Consider using Group Policy to configure and block modifications to Terminal Services parameters in the Registry.2


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Modification
DS0011 Module Module Load
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Modification