<div dir="ltr">Hi,<div><br></div><div>Default CobaltStrike cert detection based on 

<a href="https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html">https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html</a> .</div><div><br></div><div>You can see examples of this here <a href="https://censys.io/certificates?q=cobaltstrike">https://censys.io/certificates?q=cobaltstrike</a> </div><div><div><br></div><div>alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Default CobaltStrike SSL Certificate"; flow:established,to_client; tls_cert_issuer; content:"C=Earth, ST=Cyberspace, L=Somewhere, O=cobaltstrike, OU=AdvancedPenTesting, CN=Major Cobalt Strike"; nocase; classtype:trojan-activity; reference:url,<a href="http://www.cobaltstrike.com">www.cobaltstrike.com</a>; sid:144411; rev:1;)<br></div></div><div><br></div><div><br></div><div>Kind Regards,</div><div>Kevin Ross</div></div>