Terminal Services DLL - T1505.005 (379809f6-2fac-42c1-bd2e-e9dee70b27f8)
Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
Windows Services that are run as a "generic" process (ex: svchost.exe
) load the service's DLL file, the location of which is stored in a Registry entry named ServiceDll
.(Citation: Microsoft System Services Fundamentals) The termsrv.dll
file, typically stored in %SystemRoot%\System32\
, is the default ServiceDll
value for Terminal Services in HKLM\System\CurrentControlSet\services\TermService\Parameters\
.
Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal termsrv.dll
functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent Remote Desktop Protocol sessions by either patching the termsrv.dll
file or modifying the ServiceDll
value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) | Attack Pattern | Terminal Services DLL - T1505.005 (379809f6-2fac-42c1-bd2e-e9dee70b27f8) | Attack Pattern | 1 |