Veil-Catapult

Catapult is the payload delivery and deployment module within the Veil Framework. It automates the process of transferring generated payloads to target systems and executing them in a controlled lab environment. The module handles staging, execution, and cleanup, which is useful for structured testing scenarios where consistent delivery conditions are required.

If you have ever manually copied payloads to targets over SMB, executed them via PsExec, and then cleaned up artifacts — only to do it thirty more times during a purple team exercise — you understand why delivery automation matters.

What Catapult Does

Catapult provides several delivery mechanisms:

• File transfer — Automated transfer of generated payloads to target systems via common protocols
• Remote execution — Triggering payload execution on targets through remote administration interfaces
• Staging — Placing payloads in specific directories for deferred execution
• Cleanup — Removing delivered files and artifacts after testing is complete

Each mechanism exercises different detection surfaces. SMB-based delivery tests network monitoring. Remote execution via WMI or service creation tests endpoint detection. Staging tests file integrity monitoring.

Defensive Value

Catapult's automation means each delivery follows the same pattern, which is ideal for detection tuning. When you run ten deliveries with identical parameters, your detection stack should catch all ten or none. Inconsistent detection across identical deliveries reveals reliability issues in your monitoring.

What to Monitor

• Event ID 5145 — SMB share access for file delivery
• Event ID 7045 — Service creation for remote execution
• Event ID 4688 — Process creation from delivered payloads
• Network traffic — File transfers between workstations (unusual in most environments)

Lab Setup

Catapult requires:

• Network connectivity between your attack host and target systems
• Administrative credentials for remote delivery mechanisms
• Proper audit logging on target systems to capture delivery events
• An isolated lab environment (no production network access)

Integration with Other Modules

Catapult sits between payload generation (Evasion) and post-exploitation (Pillage) in the assessment workflow:

1. Evasion generates the payload
2. Catapult delivers and executes it on the target
3. Pillage handles post-exploitation data collection

This modular separation allows you to test each phase independently or as a combined workflow.

Related

• Catapult Category — Related articles and research
• Veil-Evasion — Payload generation (upstream from Catapult)
• Modules Directory — All framework modules
• Veil Tutorial — Getting started guide