MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1505.005: Terminal Services DLL

Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.

Windows Services that are run as a "generic" process (ex: svchost.exe) load the service's DLL file, the location of which is stored in a Registry entry named ServiceDll. The termsrv.dll file, typically stored in %SystemRoot%\System32\, is the default ServiceDll value for Terminal Services in HKLM\System\CurrentControlSet\services\TermService\Parameters\.

Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts. Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal termsrv.dll functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent Remote Desktop Protocol sessions by either patching the termsrv.dll file or modifying the ServiceDll value to point to a DLL that provides increased RDP functionality. On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

— Monitoring of key-modification events for the registry key HKLM\System\CurrentControlSet\Services\TermService\Parameters\ServiceDll. This key should contain the '%SystemRoot%\System32\termsrv.dll' value. If not, check for potentially malicious activities. — Monitoring of reg.exe run events which contain 'termsrv.dll' in their command line. — Monitoring of events related to suspicious DLLs being loaded by Terminal Services (for example, 'svchost.exe -k termsvcs'). By default, it should look like '%SystemRoot%\System32\termsrv.dll'

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0011Data source and componentModule: Module LoadDescription

Monitor module loads by the Terminal Services process (ex: svchost.exe -k termsvcs) for unexpected DLLs (the default is %SystemRoot%\System32\termsrv.dll, though an adversary could also use Match Legitimate Name or Location to potentially conceal a malicious payload).

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for potential adversary actions to modify Registry values (ex: reg.exe) or modify/replace the legitimate termsrv.dll.

IDDS0022Data source and componentFile: File ModificationDescription

Monitor unexpected changes and/or interactions with termsrv.dll, which is typically stored in %SystemRoot%\System32\.

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Monitor for changes to Registry keys associated with ServiceDll and other subkey values under HKLM\System\CurrentControlSet\services\TermService\Parameters\.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor processes with arguments that may potentially highlight adversary actions to modify Registry values (ex: reg.exe) or modify/replace the legitimate termsrv.dll.

Mitigation

IDM1047NameAuditDescription

Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.

IDM1024NameRestrict Registry PermissionsDescription

Consider using Group Policy to configure and block modifications to Terminal Services parameters in the Registry.