Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0212: Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows)

DET0212 is a MITRE detection strategy object for detecting T1505.005, Terminal Services DLL, a Windows persistence behavior involving abuse of Terminal Ser...

EnterpriseDET0212Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0212 is a MITRE detection strategy object for detecting T1505.005, Terminal Services DLL, a Windows persistence behavior involving abuse of Terminal Services / Remote Desktop Services components. The business significance is that remote access infrastructure is often trusted and operationally important; unauthorized persistence there can complicate incident containment, privileged access reviews, and restoration decisions.

Executive priority

Treat this as a Windows persistence coverage question for systems that provide or depend on Remote Desktop Services. Leaders should ask whether critical Windows servers have change monitoring, service configuration visibility, and incident response procedures sufficient to prove that Terminal Services components have not been altered. Because the official detection strategy text is not provided, priority should be based on local exposure to RDP/RDS, asset criticality, and the organization’s need for audit-ready evidence around remote administration paths.

Technical view

SOC and IR teams should validate monitoring around the related ATT&CK technique T1505.005: Terminal Services DLL, mapped to the persistence tactic on Windows. Since this DET0212 object does not include official detection logic, teams should derive coverage from defensible evidence sources: file and configuration changes affecting Terminal Services / Remote Desktop Services components, Windows service behavior, module loads, and RDP/RDS operational logs. Detection engineering should focus on unauthorized modification, unexpected DLL load behavior by Terminal Services-related service processes, and deviations from known-good baselines on Windows hosts.

Likely telemetry

  • Windows file integrity or EDR file modification events for Terminal Services / Remote Desktop Services-related DLLs and directories
  • Windows service configuration and registry change telemetry
  • Process and module-load telemetry showing service-hosted components loading DLLs
  • Remote Desktop Services / Terminal Services operational and service logs
  • Administrative activity logs showing privileged changes on Windows servers

Detection direction

  • Confirm which Windows systems run or expose Remote Desktop Services / Terminal Services and prioritize critical servers first.
  • Validate that file and registry/service configuration changes are collected with enough fidelity to support investigation, not only alerting.
  • Tune detections against approved patching, OS servicing, and administrative maintenance to reduce false positives while preserving visibility into unusual DLL or service changes.
  • Correlate suspicious component changes with privileged logons, RDP activity, process/module-load events, and endpoint detections.
  • Review blind spots where RDP/RDS-enabled servers lack EDR, file integrity monitoring, centralized Windows event collection, or known-good baselines.

Mitigation priorities

  • Establish an inventory of Windows hosts using Remote Desktop Services / Terminal Services and assign ownership for monitoring and change control.
  • Harden administrative access to RDP/RDS-capable systems using least privilege and strong identity controls.
  • Implement change control and integrity monitoring for service files, DLLs, and service configuration related to Terminal Services.
  • Maintain incident response playbooks for suspected persistence on remote administration infrastructure, including evidence preservation and restoration from trusted media or baselines.
  • Use vulnerability and configuration management programs to keep Windows remote access infrastructure patched and consistently configured.
Analyst notes and limits

This take is based on the DET0212 detection strategy object and its relationship to ATT&CK technique T1505.005, Terminal Services DLL. The object itself provides no official description, detection text, tactics, or platforms; the Windows platform and persistence context come from the related technique relationship.

MITRE did not provide detection logic or implementation guidance in the supplied fields for DET0212. Local environment details are required to determine exact Terminal Services components, expected DLL paths, approved administrative workflows, and which telemetry sources are actually available.

Official MITRE ATT&CK definition

Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1505.005 Terminal Services DLL Sub-technique This object detects Terminal Services DLL.
Relationship explorer

All related ATT&CK context

detects · Technique T1505.005: Terminal Services DLL Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bdc4c95bd313d934...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bdc4c95bd313…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0212
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use