Default Cobalt Strike Certificate

Nov 24, 2025 · attack.command-and-control attack.s0154 ·

Detects the presence of default Cobalt Strike certificate in the HTTPS traffic

Sigma rule (View on GitHub)

 1title: Default Cobalt Strike Certificate
 2id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
 3status: test
 4description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
 5references:
 6    - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
 7author: Bhabesh Raj
 8date: 2021-06-23
 9modified: 2022-10-09
10tags:
11    - attack.command-and-control
12    - attack.s0154
13logsource:
14    product: zeek
15    service: x509
16detection:
17    selection:
18        certificate.serial: 8BB00EE
19    condition: selection
20falsepositives:
21    - Unknown
22level: high

References

https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468

Read More

Default Cobalt Strike Certificate

Sigma rule (View on GitHub)

References

https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468

Related rules