Skip to main content

Overview

Decepticon integrates Sliver C2 as its command-and-control framework, enabling real adversary-grade post-exploitation: implant deployment, session management, credential harvesting, and lateral movement through C2 channels. C2 is not bolted on as an afterthought — it’s a core component of the operational network architecture.

Enabling C2

Sliver C2 is activated via Docker Compose profiles:
This adds the Sliver team server to the operational network (sandbox-net) alongside the Kali sandbox and any target infrastructure.

Architecture

The C2 team server runs entirely on the operational network — completely isolated from the management infrastructure. No C2 traffic crosses network boundaries.

Capabilities

Implant Generation & Deployment

The agent generates Sliver implants tailored to the target environment and deploys them through the established access:
  • Platforms — Windows, Linux, macOS
  • Formats — Shellcode, executables, shared libraries
  • Evasion — Obfuscation, custom builds

C2 Channels

Multiple communication channels supported:

Post-Exploitation via C2 Sessions

Once an implant establishes a session, the post-exploit agent operates through it:
  • Credential harvesting — Dump credentials, tokens, and keys from compromised hosts
  • Lateral movement — Pivot to internal systems through established C2 sessions
  • Internal reconnaissance — Map networks, enumerate services, and discover new targets from inside the perimeter
  • Persistence — Establish long-term access mechanisms

Profile-Based Configuration

C2 frameworks are swappable via Docker Compose profiles. Only Sliver is implemented and shipping today — the profile system is designed so additional frameworks (Havoc, Mythic, etc.) can be plugged in later, but those are not yet available:

Infrastructure

Learn about the isolated network architecture that keeps C2 traffic separated from management.