This rule detects the usage of the default TLS certificate associated with Cobalt Strike Team Server, a tool used for adversary simulations and red team operations. The rule focuses on identifying potential misuse of Cobalt Strike by monitoring network traffic for specific cryptographic hashes—MD5, SHA1, and SHA256 linked to the default certificate. Cobalt Strike can establish command and control channels through its default TLS settings, which may be exploited by threat actors. The corresponding detection relies on a query that checks network traffic and observes specific hash values, enabling rapid identification of unauthorized Cobalt Strike activities. The investigation involves reviewing flagged connections, correlating traffic patterns, and assessing for signs of compromise, while taking care to manage potential false positives from legitimate internal security testing or use by authorized teams. Immediate response actions include isolating affected systems and conducting forensic analysis to mitigate risks associated with the exploitation of the default certificate.