Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.decepticon.red/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Decepticon integrates Sliver C2 as its command-and-control framework, enabling real adversary-grade post-exploitation: implant deployment, session management, credential harvesting, and lateral movement through C2 channels. C2 is not bolted on as an afterthought — it’s a core component of the operational network architecture.

Enabling C2

Sliver C2 is activated via Docker Compose profiles: 
COMPOSE_PROFILES=c2-sliver decepticon
This adds the Sliver team server to the operational network (sandbox-net) alongside the Kali sandbox and any target infrastructure.

Architecture

┌─────────────────────────────────────────────────┐
│                 sandbox-net (operational)         │
│                                                   │
│  ┌──────────┐  ┌──────────┐  ┌───────────────┐  │
│  │   Kali   │  │  Sliver  │  │    Target     │  │
│  │ Sandbox  │←→│ Team Svr │←→│ Infrastructure│  │
│  └──────────┘  └──────────┘  └───────────────┘  │
│       ↑                                           │
│  sliver-client                                    │
│  (pre-installed)                                  │
└─────────────────────────────────────────────────┘
The C2 team server runs entirely on the operational network — completely isolated from the management infrastructure. No C2 traffic crosses network boundaries.

Capabilities

Implant Generation & Deployment

The agent generates Sliver implants tailored to the target environment and deploys them through the established access:
  • Platforms — Windows, Linux, macOS
  • Formats — Shellcode, executables, shared libraries
  • Evasion — Obfuscation, custom builds

C2 Channels

Multiple communication channels supported:
ChannelUse CaseStealth Level
mTLSDefault — encrypted, reliableMedium
HTTPSBlends with normal web trafficHigh
DNSTunnels through DNS queriesVery High

Post-Exploitation via C2 Sessions

Once an implant establishes a session, the post-exploit agent operates through it:
  • Credential harvesting — Dump credentials, tokens, and keys from compromised hosts
  • Lateral movement — Pivot to internal systems through established C2 sessions
  • Internal reconnaissance — Map networks, enumerate services, and discover new targets from inside the perimeter
  • Persistence — Establish long-term access mechanisms

Profile-Based Configuration

C2 frameworks are swappable via Docker Compose profiles. Only Sliver is implemented and shipping today — the profile system is designed so additional frameworks (Havoc, Mythic, etc.) can be plugged in later, but those are not yet available: 
# Sliver C2 — the only supported framework today (default)
COMPOSE_PROFILES=c2-sliver

# Planned for future releases (not yet available):
# COMPOSE_PROFILES=c2-havoc
# COMPOSE_PROFILES=c2-mythic

Infrastructure

Learn about the isolated network architecture that keeps C2 traffic separated from management.