Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0595: Analytic 0595

Adversary modifies or replaces the Terminal Services DLL (`termsrv.dll`) or changes the associated `ServiceDll` Registry value to load an arbitrary or patched DLL that enables persistent and enhanced RDP access. This may include binary replacement, registry tampering, and unexpected module loads by the `svchost.exe -k termsvcs` process.

EnterpriseAN0595AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic concerns tampering with Windows Remote Desktop Services components so RDP can remain available or behave differently than expected. For leaders, the practical issue is not just “RDP misuse”; it is whether a critical remote access path can be altered at the DLL or service configuration layer without being noticed, undermining incident containment, privileged access controls, and audit confidence.

Executive priority

Prioritize this as a Windows remote access integrity and resilience concern. Security leaders should ask whether changes to Terminal Services binaries, service DLL registry configuration, and unexpected module loading by the Terminal Services service host are monitored and reviewable during an incident. This is especially relevant where RDP is used for administration, support, or recovery, because tampering could complicate containment decisions and weaken confidence in remote access governance.

Technical view

Validate coverage for Windows hosts running Terminal Services/RDP. The supplied ATT&CK object identifies three key behaviors: modification or replacement of `termsrv.dll`, changes to the associated `ServiceDll` Registry value, and unexpected DLL/module loads by the `svchost.exe -k termsvcs` process. SOC and detection engineering teams should confirm they can baseline expected file integrity, registry configuration, and module-load behavior for the Terminal Services service context, then alert on unauthorized drift. Because MITRE provides no official detection logic for this analytic, local tuning and environment baselining are required.

Likely telemetry

  • Windows file integrity or endpoint telemetry for changes to `termsrv.dll`
  • Windows Registry telemetry for changes to the Terminal Services `ServiceDll` value
  • Process telemetry identifying `svchost.exe -k termsvcs`
  • Module/DLL load telemetry for the Terminal Services service host process
  • Endpoint security or EDR events showing binary replacement, registry tampering, or service configuration drift

Detection direction

  • Baseline the expected path, hash/signature, and modification patterns for `termsrv.dll` on supported Windows builds before creating high-severity alerts.
  • Monitor the Terminal Services `ServiceDll` Registry value for unauthorized changes and correlate with process, user, and host context.
  • Review module loads by `svchost.exe -k termsvcs` for DLLs that are unexpected for the host build or change window.
  • Reduce false positives by accounting for legitimate Windows updates, servicing activity, and approved administrative maintenance.
  • During IR, compare suspected hosts against known-good systems and change records rather than relying on a single indicator.

Mitigation priorities

  • Restrict administrative permissions capable of modifying Windows service configuration, protected system files, and relevant Registry keys.
  • Use change control and file integrity monitoring for Terminal Services components on systems where RDP is enabled or operationally important.
  • Harden and govern RDP exposure and administrative access paths so tampering with RDP services is less likely to provide durable access.
  • Ensure endpoint controls and logging capture Registry changes, system DLL modification, and service-host module loading where feasible.
  • Include Terminal Services integrity checks in incident response playbooks for Windows systems where suspicious RDP persistence or service tampering is suspected.
Analyst notes and limits

The object is a detection analytic for Windows focused on Terminal Services DLL and service configuration tampering. No ATT&CK tactics, relationships, or official detection text were supplied, so this take emphasizes validation of telemetry and defensive decision points rather than mapping to a broader intrusion chain.

This summary is based only on the supplied ATT&CK analytic fields and one external MITRE reference. It does not establish active exploitation, attribution, prevalence, impact, or guaranteed detection coverage. Local Windows versions, RDP usage, logging configuration, EDR capabilities, and change-management data are required to determine material risk and alert fidelity.

Official MITRE ATT&CK definition

Analytic 0595

Adversary modifies or replaces the Terminal Services DLL (`termsrv.dll`) or changes the associated `ServiceDll` Registry value to load an arbitrary or patched DLL that enables persistent and enhanced RDP access. This may include binary replacement, registry tampering, and unexpected module loads by the `svchost.exe -k termsvcs` process.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5aa019c87351011b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5aa019c87351…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0595
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use