C2 Label

The command and control label (labels: C2) is key for identifying servers involved in potential malicious activities. Understanding the criteria for removing these labels is equally important to ensuring the data remains accurate and relevant.

C2 detection in Censys datasets

C2 detection and the attendant labeling of web assets in Censys is a mix of active scanning and behavioral analysis. Assets labeled C2 may also possess certain service patterns, such as protocols or configurations commonly linked to C2. These include unusual SSH banners or specific HTTP responses.

False positives and the C2 label

C2 fingerprints are generated directly from scan data, making any information within the scan data a potential detection trigger.

If a fingerprint no longer matches following a rescan of an asset, the label is removed. While occasional false positives are expected, the C2 labeling system generally provides accurate results.

C2 label removal

Typically, if the behavior that resulted in a C2 detection is no longer present, Censys removes the label within 72 hours.