Description
Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
Windows Services that are run as a "generic" process (ex: svchost.exe) load the service's DLL file, the location of which is stored in a Registry entry named ServiceDll.(Citation: Microsoft System Services Fundamentals) The termsrv.dll file, typically stored in %SystemRoot%\System32\, is the default ServiceDll value for Terminal Services in HKLM\System\CurrentControlSet\services\TermService\Parameters\.
Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal termsrv.dll functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent Remote Desktop Protocol sessions by either patching the termsrv.dll file or modifying the ServiceDll value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
Platforms
Mitigations (2)
AuditM1047
Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.
Restrict Registry PermissionsM1024
Consider using Group Policy to configure and block modifications to Terminal Services parameters in the Registry.(Citation: Microsoft System Services Fundamentals)
Related CWE Weaknesses
References
- James. (2019, July 14). @James_inthe_box. Retrieved September 12, 2024.
- Microsoft. (2018, February 17). Windows System Services Fundamentals. Retrieved March 28, 2022.
- Microsoft. (2019, August 23). About Remote Desktop Services. Retrieved March 28, 2022.
- Stas'M Corp. (2014, October 22). RDP Wrapper Library by Stas'M. Retrieved March 28, 2022.
- Windows OS Hub. (2021, November 10). How to Allow Multiple RDP Sessions in Windows 10 and 11?. Retrieved March 28, 2022.
Frequently Asked Questions
What is T1505.005 (Terminal Services DLL)?
T1505.005 is a MITRE ATT&CK technique named 'Terminal Services DLL'. It belongs to the Persistence tactic(s). Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, ena...
How can T1505.005 be detected?
Detection of T1505.005 (Terminal Services DLL) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1505.005?
There are 2 documented mitigations for T1505.005. Key mitigations include: Audit, Restrict Registry Permissions.
Which threat groups use T1505.005?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.