Terminal Services DLL

Information

• Name: Terminal Services DLL

• ID: T1505.005

• Tactics: TA0003

• Technique: T1505

Introduction

Terminal Services DLL (T1505.005) is a sub-technique within the MITRE ATT&CK framework under the broader category of Server Software Component: DLLs. Adversaries exploit the default loading behavior of Terminal Services (Remote Desktop Services) to execute malicious Dynamic Link Libraries (DLLs). By replacing or hijacking legitimate DLL files used by Terminal Services, attackers can achieve persistence, privilege escalation, or lateral movement within compromised environments.

Deep Dive Into Technique

Terminal Services, also known as Remote Desktop Services (RDS), utilize various DLL files during their normal operation. Attackers leverage DLL search order hijacking or DLL side-loading by placing malicious DLL files in directories that Terminal Services applications search during initialization. Common exploitation methods include:

• DLL Search Order Hijacking:

  • Attackers place malicious DLLs in directories prioritized by the Windows DLL load order.

  • Windows searches for DLLs in the following typical order:

    1. Directory from which the application loaded.

    2. System directory (e.g., %SystemRoot%\System32).

    3. Windows directory (%SystemRoot%).

    4. Current working directory.

    5. Directories listed in the system PATH environment variable.

• DLL Side-Loading:

  • Attackers exploit legitimate applications that load DLLs by name without specifying absolute paths.

  • Malicious DLLs are placed alongside legitimate executables, causing the application to load and execute malicious code unknowingly.

• Commonly Targeted DLLs:

  • termsrv.dll: Core DLL for Terminal Services functionality.

  • mstscax.dll: Microsoft Terminal Services ActiveX Client DLL.

  • Other Terminal Services-specific DLLs loaded during RDP client/server interactions.

Attackers often leverage these techniques to maintain persistent presence, escalate privileges, or move laterally within compromised networks. Manipulating Terminal Services DLLs allows attackers to blend malicious activity with legitimate processes, complicating detection and remediation.

When this Technique is Usually Used

Attackers typically deploy this sub-technique during various stages of an attack lifecycle, including:

• Persistence:

  • Establishing long-term footholds by ensuring malicious DLLs are loaded automatically during Terminal Services startup or execution.

  • Surviving system reboots, updates, and administrative actions.

• Privilege Escalation:

  • Leveraging Terminal Services DLL loading mechanisms to execute malicious code under elevated privileges, especially if Terminal Services run with administrative rights.

• Defense Evasion:

  • Masking malicious activity by embedding DLL payloads into legitimate Terminal Services processes, making identification and attribution difficult.

• Lateral Movement:

  • Leveraging compromised Terminal Services infrastructure to pivot and move laterally into other networked systems or services.

• Initial Access and Execution:

  • Deploying malicious DLLs through supply chain attacks, phishing campaigns, or exploitation of vulnerabilities in Terminal Services components.

How this Technique is Usually Detected

Detection of Terminal Services DLL manipulation involves proactive monitoring, auditing, and analysis of system behavior and file integrity. Common detection methods include:

• File Integrity Monitoring (FIM):

  • Monitor critical DLL files used by Terminal Services (termsrv.dll, mstscax.dll, etc.) for unauthorized modifications, replacements, or unusual file additions.

  • Alert on unexpected changes to DLL hashes, file sizes, timestamps, and digital signatures.

• Process Monitoring and Behavioral Analysis:

  • Monitor Terminal Services processes (svchost.exe, termsrv.exe, mstsc.exe) for suspicious DLL loading patterns, unusual child processes, or unexpected network connections.

  • Leverage Sysmon and Event Logs to track DLL loads and process creations associated with Terminal Services.

• Endpoint Detection and Response (EDR) Solutions:

  • Utilize EDR tools to identify unusual DLL loading patterns, suspicious memory injections, or anomalous process behaviors indicative of DLL hijacking or side-loading.

• Event Log Analysis:

  • Analyze Windows event logs (Security, System, Application) for events related to Terminal Services DLL loading errors, unexpected failures, or unusual authentication attempts.

• Indicators of Compromise (IoCs):

  • Presence of unsigned or suspiciously signed DLL files within Terminal Services directories.

  • Unexpected DLL files appearing in directories commonly used by Terminal Services or RDP clients.

  • Altered registry values related to Terminal Services DLL loading paths or startup configurations.

Why it is Important to Detect This Technique

Early detection of Terminal Services DLL manipulation is crucial due to its potentially severe impacts on system security and operational integrity. Key reasons include:

• Persistence and Stealth:

  • Malicious DLLs can remain undetected for extended periods, providing attackers ongoing access and control over compromised systems.

• Privilege Escalation:

  • Attackers may gain elevated privileges by hijacking DLLs loaded by high-privilege Terminal Services processes, granting them administrative control over systems and networks.

• Risk of Data Exfiltration:

  • Compromised Terminal Services DLLs may facilitate unauthorized data access and exfiltration, leading to breaches of sensitive information, intellectual property theft, or regulatory compliance violations.

• Operational Disruption:

  • Malicious DLLs can disrupt legitimate Terminal Services functionality, impacting remote access capabilities, causing downtime, and negatively affecting business continuity.

• Lateral Movement and Wider Compromise:

  • Attackers can leverage compromised Terminal Services infrastructure to pivot into other networked systems, significantly expanding the scope and severity of a cyber incident.

Examples

Real-world examples demonstrating Terminal Services DLL exploitation include:

• APT41 (Winnti Group):

  • Known to use DLL side-loading techniques, including Terminal Services DLL hijacking, to achieve persistence and evade detection.

  • Attackers placed malicious DLLs alongside legitimate executables, causing Terminal Services to load and execute malicious payloads unknowingly.

• FIN7 (Carbanak Group):

  • Leveraged DLL hijacking techniques, including targeting Terminal Services components, to maintain persistence within compromised financial institutions and retail organizations.

  • Used DLL side-loading to execute custom malware payloads, facilitating data theft and lateral movement.

• Operation Cloud Hopper (APT10):

  • Utilized DLL hijacking tactics involving Terminal Services DLLs to persist within managed service provider (MSP) environments.

  • Malicious DLLs loaded by legitimate Terminal Services processes allowed attackers to maintain stealthy access, exfiltrate sensitive data, and compromise client networks.

• Supply Chain Attacks:

  • Attackers have compromised software supply chains, inserting malicious DLLs into legitimate Terminal Services software or updates.

  • Unsuspecting organizations deploying compromised software inadvertently load malicious DLLs, granting attackers widespread initial access and lateral movement capabilities.

In each of these scenarios, attackers successfully leveraged Terminal Services DLL exploitation to persistently compromise victim environments, evade detection, escalate privileges, and expand their foothold, underscoring the importance of proactive monitoring and detection strategies.