Live Latest activity →

Cobalt Strike - Removal Guide

Last updated: 2026-04-21

Cobalt Strike Removal Guide

Signs of Infection

Cobalt Strike infections typically manifest through specific artifacts and behaviors. On the file system, look for suspicious executables, DLLs, or script files in temporary directories (%TEMP%, C:\Windows\Temp), user profile paths (%APPDATA%, %LOCALAPPDATA%), or system directories. Common file names may mimic legitimate software or use random alphanumeric strings. Pay attention to recently created or modified files with timestamps aligned with suspected compromise.

Process behavior indicators include unexpected processes spawning from rundll32.exe, regsvr32.exe, mshta.exe, or wscript.exe with suspicious command-line arguments. Look for processes making anomalous network connections or injecting code into legitimate processes like explorer.exe, svchost.exe, or browser processes. Unusual memory allocations, particularly executable memory regions in non-executable processes, are also red flags.

Network signs involve beaconing traffic to external IP addresses or domains with low reputation. Connections typically occur over HTTP/HTTPS, DNS, or SMB. Beacons often exhibit regular intervals (e.g., every 5, 10, or 60 seconds) and may use common user-agent strings or mimic legitimate web traffic. Look for anomalous DNS queries for subdomains with high entropy or patterns matching known Cobalt Strike domain generation algorithms (DGA). Internal lateral movement may involve SMB or WinRM connections from unexpected hosts.

Immediate Containment Steps

Within the first 15 minutes of detection, immediately isolate the affected host from the network by disabling its network adapters or segmenting it via network access control. This prevents further command-and-control communication and lateral movement. If complete isolation isn’t feasible, implement firewall rules to block all outbound traffic from the host except to essential management systems.

Identify and terminate malicious processes using your EDR solution or process explorer. Focus on processes with suspicious parent-child relationships, such as powershell.exe spawned by rundll32.exe. Collect memory dumps of these processes for later analysis before termination. Do not rely solely on terminating processes, as persistence mechanisms will likely regenerate them.

Initiate emergency credential rotation for all accounts that have logged onto the compromised host, including local administrator, domain administrator, and service accounts. Prioritize accounts with elevated privileges. Change credentials on associated systems, especially those showing lateral movement attempts. Begin collecting and preserving logs from the host and network devices for investigation.

Manual Removal Process

  1. Terminate Malicious Processes: Use a command-line process management tool to list all processes. Identify Cobalt Strike-related processes by checking their command-line arguments, loaded modules, and network connections. Common indicators include processes loading suspicious DLLs or connecting to known C2 IPs. Terminate these processes using their PID with the appropriate termination command.

  2. Delete Persistence Mechanisms: Check common persistence locations:

    • Scheduled Tasks: Look for tasks with random names or triggers executing suspicious commands. Use the task scheduler command-line tool to delete them.
    • Services: Examine services for unusual display names, descriptions, or paths pointing to temporary locations. Use the service management command-line tool to stop and delete malicious services.
    • Registry Run Keys: Inspect HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and their RunOnce variants. Remove entries with suspicious values or paths.
    • Startup Folder: Check %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup and %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\StartUp for malicious shortcuts or executables.
    • File Association Hijacks: Verify registry keys like HKCR\exefile\shell\open\command for modifications.

  3. Remove Dropped Files: Search for and delete malicious files identified during investigation. Common locations include:

    • %TEMP% and subdirectories
    • C:\Windows\Temp
    • %APPDATA% and %LOCALAPPDATA%
    • C:\Windows\System32 and C:\Windows\SysWOW64 (look for recently added DLLs or executables) Use file hashes from your IOC list to identify known malicious files. Delete files and clear any alternate data streams.

  4. Clean Registry Entries: Remove all registry keys and values associated with the malware beyond just persistence locations. This may include:

    • Keys storing C2 configuration or encryption keys
    • Keys created under HKLM\Software or HKCU\Software with random or suspicious names
    • Modifications to security software exclusion lists Export registry keys before deletion for evidence.

Verifying Removal

After removal, perform a full system scan with your endpoint security solution using updated signatures. Conduct a memory analysis to ensure no malicious code remains resident. Use a network monitoring tool to verify the host no longer makes beaconing connections to known C2 infrastructure. Monitor outbound traffic for patterns matching Cobalt Strike’s communication protocols.

Check system and security logs for any residual malicious activity. Look for event IDs related to service creation, scheduled task registration, process creation, and network connections. Specifically, examine Windows Security event logs for failed logon attempts (Event ID 4625) or unusual successful logons (Event ID 4624) that may indicate lingering access.

Validate the integrity of critical system files using built-in system file checking utilities. Ensure all persistence mechanisms have been removed by re-checking the locations listed in the removal process. Consider deploying a dedicated threat hunting tool to perform behavioral analysis and confirm no artifacts remain.

Post-Removal Security Hardening

Implement application allowlisting to prevent execution of unauthorized binaries, particularly from temporary directories. Configure your EDR solution to detect and block process injection techniques commonly used by Cobalt Strike. Update firewall rules to restrict outbound connections to only necessary ports and protocols, and implement egress filtering.

Enable enhanced logging across all endpoints, ensuring process creation, network connection, and PowerShell script block logging are activated. Create specific SIEM detection rules for Cobalt Strike indicators, including:

  • Processes spawning from script interpreters with encoded commands
  • Network connections to IP addresses in your IOC list
  • DLLs loaded from temporary directories
  • Scheduled tasks or services created with suspicious commands

Review and enforce the principle of least privilege across all user and service accounts. Disable unnecessary services and protocols that Cobalt Strike exploits for lateral movement, such as SMBv1 and unnecessary RPC services. Implement network segmentation to limit lateral movement opportunities.

Establish continuous monitoring for Cobalt Strike’s specific TTPs, including its use of living-off-the-land binaries (LOLBins) and obfuscation techniques. Regularly update your IOC lists and detection signatures. Conduct periodic security awareness training focused on phishing prevention, as Cobalt Strike is often deployed via spear-phishing campaigns.

For the latest indicators of compromise, refer to the Current Cobalt Strike IOCs. Detection effectiveness can be reviewed at Detection Rate. General information is available in the Cobalt Strike Overview.

Related

← Cobalt Strike Overview How to Detect Incident Response Protection Guide IOCs Samples All Families