Veil-Pillage: Articles & Research

This category collects articles, guides, and research notes related to the Veil-Pillage module — the post-exploitation data collection and reporting component of the Veil Framework.

About Veil-Pillage

Pillage focuses on the post-exploitation phase: after initial access has been achieved in a lab environment, what happens next? The module provides capabilities for credential collection, data discovery, and evidence gathering — all activities that defensive teams need to detect and respond to.

Understanding post-exploitation techniques is critical for defense because this is where the actual damage occurs. Initial access is a means to an end; data exfiltration, credential theft, and lateral movement are the activities that produce business impact.

Related Content

Detection & Hunting

• Hunting Sensitive Data — Detection strategies for data discovery and potential exfiltration
• Hunting Users — Identifying user enumeration that precedes post-exploitation
• Cobalt Strike Beacon Detection — C2 detection relevant to post-exploitation activity

Module Context

• Modules Directory — Where Pillage fits in the framework architecture
• Framework Overview — Architecture and module relationships
• Veil Tutorial — Getting started with the framework

Related Modules

• Veil-PowerView — AD enumeration that feeds into Pillage's targeting
• Veil-Evasion — Payload generation for initial access testing
• Catapult — Payload delivery that precedes post-exploitation

Defensive Recommendations

Organizations should monitor for post-exploitation indicators including:

• Unusual credential access patterns (Event ID 4624, 4625, 4648)
• Mass file access from single accounts
• Lateral movement indicators (remote service creation, scheduled tasks)
• Data staging in unusual directories
• Large data transfers to unexpected destinations