diff --git a/exposed-panels/c2/cobalt-strike-c2.yaml b/exposed-panels/c2/cobalt-strike-c2.yaml
new file mode 100644
index 0000000000..4b13cccaf4
--- /dev/null
+++ b/exposed-panels/c2/cobalt-strike-c2.yaml
@@ -0,0 +1,26 @@
+id: cobalt-strike-c2
+
+info:
+  name: Cobalt Strike C2 - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+     Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer's network.
+  reference:
+    - https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/
+  metadata:
+    shodan-query: ssl.cert.serial:146473198
+  tags: ssl,c2,ir,blue-team
+
+ssl:
+  - address: "{{Host}}:{{Port}}"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(serial,"08:BB:00:EE")'
+
+    extractors:
+      - type: json
+        json:
+          - ".serial"
\ No newline at end of file