Using Cobalt Strike to Find (More) Cobalt Strike

This report demonstrates how to discover and expand known Cobalt Strike command-and-control infrastructure by analyzing TLS certificate Distinguished Names, certificate ordering quirks produced by Cobalt Strike, Certificate Transparency logs, and Censys scan data; it includes scripts, sample DN fingerprints, case studies of active C2 servers (including some using legitimate CA certs), and recommended hunting queries to surface additional suspected hosts.