C2 Labels in Censys Search
This article explains how command and control (C2) labels are applied in Censys Search datasets and under which conditions they are removed.
C2 detection in Censys datasets
C2 detection and the attendant labeling of web assets in Censys is a mix of active scanning and behavioral analysis. Assets labeled C2 may also possess certain service patterns, such as protocols or configurations commonly linked to C2. These include unusual SSH banners or specific HTTP responses.
False positives and the C2 label
C2 fingerprints are generated directly from scan data, making any information within the scan data a potential detection trigger.
If a fingerprint no longer matches following a rescan of an asset, the label is removed. While occasional false positives are expected, the C2 labeling system generally provides accurate results.
C2 label removal
Typically if the behavior that resulted in a C2 detection is no longer present, Censys removes the label within 72 hours.