Veil-Catapult: Articles & Research

This category collects articles, guides, and research notes related to the Veil-Catapult module — the payload delivery and deployment automation component of the Veil Framework.

About Veil-Catapult

Catapult handles the delivery phase of a security assessment: getting a generated payload from the attack host to the target system and executing it. In a lab environment, this module automates what would otherwise be manual file transfer and execution steps, enabling repeatable testing conditions.

For defensive teams, understanding delivery mechanisms is important because this is the phase where network-level detection, endpoint protection, and execution controls intersect. A payload that evades AV but is caught during delivery has still failed from the attacker's perspective.

Related Content

Module Documentation

• Catapult Module Page — Detailed module documentation and lab usage guidance
• Modules Directory — Where Catapult fits in the framework

Related Modules

• Veil-Evasion — Generates the payloads that Catapult delivers
• Pyherion — Obfuscation applied before delivery
• Veil-Pillage — Post-exploitation after delivery succeeds

Detection Resources

• Veil Tutorial — End-to-end walkthrough including delivery
• Framework Overview — Architecture context

Delivery Detection Points

Defensive teams should monitor for delivery activity at multiple layers:

• Network: Unusual file transfers via SMB, WMI, or other remote execution protocols
• Endpoint: New file creation in unusual directories, especially by remote processes
• Execution: Process creation from recently transferred files
• Authentication: Credential use for remote access that deviates from normal patterns