FrameworkGuidesModulesRelease NotesAbout

Modules

Directory of all Veil Framework modules — Evasion, PowerView, Catapult, Pyherion, and Pillage. Explore each module's role in authorized security testing and defensive research.

Module Directory

The Veil Framework is composed of distinct modules, each addressing a specific phase of an authorized security assessment. This page serves as the central hub — from here, you can navigate to detailed documentation for each component.

Understanding the interplay between these modules matters more than mastering any single one. A payload generated by Evasion might be delivered via Catapult, obfuscated by Pyherion, and the resulting access leveraged by Pillage. Defensive teams benefit from understanding this chain because detection at any point in the sequence disrupts the entire operation.

Core Modules

Veil-Evasion

The payload generation engine. Veil-Evasion produces executables and scripts designed to test whether your endpoint detection stack identifies known evasion techniques. It supports multiple output formats — Python, C, PowerShell, Ruby — and a range of encoding and obfuscation options.

The real value is not in generating payloads but in understanding what your defenses catch and what they miss. Every engagement should include Sysmon logging, EDR telemetry, and network monitoring to capture the full picture.

Read the Veil-Evasion documentation →

Veil-PowerView

An Active Directory enumeration toolkit. PowerView focuses on situational awareness — mapping trust relationships, identifying privileged accounts, discovering shares, and enumerating group policies. In a purple team context, this is the module that reveals whether your AD monitoring detects reconnaissance activity.

Read the PowerView documentation →

Veil-Catapult

The payload delivery module. Catapult automates the process of deploying generated payloads to target systems in a lab environment. It handles staging, execution, and cleanup, which is useful for repeatable testing scenarios where you need consistent delivery conditions.

Read the Catapult documentation →

Pyherion

A Python-based crypter and obfuscation module. Pyherion transforms Python payloads by applying various obfuscation techniques — variable renaming, control flow modification, string encoding. For detection engineers, understanding these transformations is essential for writing signatures that survive obfuscation.

Read the Pyherion documentation →

Veil-Pillage

The post-exploitation module. Pillage focuses on data collection, credential harvesting, and reporting after initial access has been achieved in a lab environment. Defensive teams use this to validate whether their data loss prevention controls and lateral movement detections are functioning.

Read the Pillage documentation →

Choosing the Right Module

Which module you start with depends on what you are testing:

| Testing Goal | Primary Module | Supporting Modules | |---|---|---| | AV/EDR evasion detection | Evasion | Pyherion | | AD reconnaissance detection | PowerView | — | | Payload delivery detection | Catapult | Evasion | | Post-exploitation monitoring | Pillage | PowerView | | Full kill-chain exercise | All | All |

For a structured walkthrough of setting up your first engagement, see the Veil Tutorial. For command-line reference and syntax, see the Command-Line Usage guide.