Guides & Tutorials

Whether you are setting up the framework for the first time or looking for specific module documentation, these guides cover the practical side of working with Veil in authorized lab environments. Each guide emphasizes defensive context — what to monitor, what to log, and how to interpret results.

Getting Started

New to the framework? Start here:

• Veil Tutorial — A step-by-step walkthrough covering installation, lab setup, your first payload, and interpreting the results from a defensive perspective.
• Command-Line Usage — Complete reference for CLI flags, options, and module selection. Covers both interactive and scripted modes.
• Guides & Videos Hub — Additional walkthroughs and supplementary materials.

Module-Specific Guides

Deeper documentation for each framework component:

• PowerShell Payloads — PowerShell-specific considerations: execution policies, constrained language mode, script block logging, and how defenders can monitor PowerShell-based activity.
• PowerView Usage Guide — Practical guide to Active Directory enumeration with PowerView, including what defensive teams should watch for in event logs.
• Veil-PowerView Overview — Module architecture and integration points for the PowerView component.

Safety & Analysis

Responsible handling and analysis practices:

• Safely Checking Payloads Against VirusTotal — How to evaluate detection rates without compromising operational security or violating platform terms.
• Building Trust in Evasion Payloads — Integrity, code signing, and supply-chain considerations when distributing or using security tools.

Defensive Research & Detection

Understanding evasion from the blue team perspective:

• Hunting Sensitive Data — Techniques and telemetry for detecting data discovery and exfiltration attempts in enterprise environments.
• Hunting Users — Identifying user enumeration and privilege escalation reconnaissance through log analysis.
• Cobalt Strike Beacon Detection — Telemetry analysis and detection strategies for beacon-style command-and-control activity.

Technical Deep Dives

Advanced topics and implementation details:

• DEP & PyInstaller — How Data Execution Prevention interacts with PyInstaller-packaged payloads, and what this means for both offense and defense.
• PrependMigrate Technique — Process migration patterns, detection opportunities, and defensive recommendations.