Adversary modifies or replaces the Terminal Services DLL (termsrv.dll) or changes the associated ServiceDll Registry value to load an arbitrary or patched DLL that enables persistent and enhanced RDP access. This may include binary replacement, registry tampering, and unexpected module loads by the svchost.exe -k termsvcs process.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TargetDLLPath | Defenders may tune for non-standard DLLs loaded by svchost.exe or termsrv.exe processes. |
| RegistryKeyTarget | Environment-specific variations in the path to `ServiceDll` registry key (e.g., nested group policies). |
| TimeWindow | Correlation time window for registry change followed by DLL load or svchost restart. |
| ParentProcessName | Some environments may spawn registry changes from automation tools or administrative scripts. |