MITRE ATT&CK Technique
Description
Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services) [Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: <code>svchost.exe</code>) load the service's DLL file, the location of which is stored in a Registry entry named <code>ServiceDll</code>.(Citation: Microsoft System Services Fundamentals) The <code>termsrv.dll</code> file, typically stored in `%SystemRoot%\System32\`, is the default <code>ServiceDll</code> value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`. Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal <code>termsrv.dll</code> functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the <code>termsrv.dll</code> file or modifying the <code>ServiceDll</code> value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2022-03-28T15:34:44.590Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse components of Terminal Services to '
'enable persistent access to systems. Microsoft Terminal '
'Services, renamed to Remote Desktop Services in some Windows '
'Server OSs as of 2022, enable remote terminal connections to '
'hosts. Terminal Services allows servers to transmit a full, '
'interactive, graphical user interface to clients via '
'RDP.(Citation: Microsoft Remote Desktop Services)\n'
'\n'
'[Windows '
'Service](https://attack.mitre.org/techniques/T1543/003)s that '
'are run as a "generic" process (ex: <code>svchost.exe</code>) '
"load the service's DLL file, the location of which is stored "
'in a Registry entry named <code>ServiceDll</code>.(Citation: '
'Microsoft System Services Fundamentals) The '
'<code>termsrv.dll</code> file, typically stored in '
'`%SystemRoot%\\System32\\`, is the default '
'<code>ServiceDll</code> value for Terminal Services in '
'`HKLM\\System\\CurrentControlSet\\services\\TermService\\Parameters\\`.\n'
'\n'
'Adversaries may modify and/or replace the Terminal Services '
'DLL to enable persistent access to victimized '
'hosts.(Citation: James TermServ DLL) Modifications to this '
'DLL could be done to execute arbitrary payloads (while also '
'potentially preserving normal <code>termsrv.dll</code> '
'functionality) as well as to simply enable abusable features '
'of Terminal Services. For example, an adversary may enable '
'features such as concurrent [Remote Desktop '
'Protocol](https://attack.mitre.org/techniques/T1021/001) '
'sessions by either patching the <code>termsrv.dll</code> file '
'or modifying the <code>ServiceDll</code> value to point to a '
'DLL that provides increased RDP functionality.(Citation: '
'Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server '
'Windows OS this increased functionality may also enable an '
'adversary to avoid Terminal Services prompts that warn/log '
'out users of a system when a new RDP session is created.',
'external_references': [{'external_id': 'T1505.005',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1505/005'},
{'description': 'James. (2019, July 14). '
'@James_inthe_box. Retrieved '
'September 12, 2024.',
'source_name': 'James TermServ DLL',
'url': 'https://x.com/james_inthe_box/status/1150495335812177920'},
{'description': 'Microsoft. (2018, February 17). '
'Windows System Services '
'Fundamentals. Retrieved March 28, '
'2022.',
'source_name': 'Microsoft System Services '
'Fundamentals',
'url': 'https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx'},
{'description': 'Microsoft. (2019, August 23). About '
'Remote Desktop Services. Retrieved '
'March 28, 2022.',
'source_name': 'Microsoft Remote Desktop Services',
'url': 'https://docs.microsoft.com/windows/win32/termserv/about-terminal-services'},
{'description': "Stas'M Corp. (2014, October 22). RDP "
"Wrapper Library by Stas'M. Retrieved "
'March 28, 2022.',
'source_name': 'RDPWrap Github',
'url': 'https://github.com/stascorp/rdpwrap'},
{'description': 'Windows OS Hub. (2021, November 10). '
'How to Allow Multiple RDP Sessions '
'in Windows 10 and 11?. Retrieved '
'March 28, 2022.',
'source_name': 'Windows OS Hub RDP',
'url': 'http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/'}],
'id': 'attack-pattern--379809f6-2fac-42c1-bd2e-e9dee70b27f8',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:39.258Z',
'name': 'Terminal Services DLL',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.0'}