FrameworkGuidesModulesRelease NotesAbout

Veil Tutorial: Getting Started

This tutorial walks you through setting up the Veil Framework in a controlled lab environment, generating your first test payload, and interpreting the results from a defensive perspective. By the end, you will have a working lab, a generated payload, and — more importantly — the telemetry data that tells you what your detection stack caught and what it missed.

We cover the lab environment, the monitoring stack, running the framework, and analyzing the output. If you have done this kind of work before, feel free to skip to the section that matches your current setup.

Prerequisites

Before starting, you need:

  • A virtualization platform — VMware Workstation, VirtualBox, or equivalent. Hyper-V works but has networking quirks that can complicate lab setups.
  • An attack host — Kali Linux or Parrot OS are common choices. You can also run the framework on any Linux system with Python 3 installed.
  • Target systems — At least one Windows 10/11 VM. A Windows Server VM with Active Directory is useful for PowerView testing.
  • Isolation — Your lab network must be isolated from production. Use a host-only or internal network adapter.

Do not run the framework on systems connected to production networks. This is not a theoretical concern — accidental execution on the wrong network can cause real problems and may violate laws.

Step 1: Lab Network Configuration

Set up an isolated network segment:

  1. Create a host-only network in your virtualization platform (e.g., VMware's "Host-Only" adapter or VirtualBox's "Internal Network")
  2. Assign static IPs to your attack host and target systems
  3. Verify connectivity between lab machines
  4. Verify there is no route to your production network or the internet

A common layout:

  • Attack host: 10.10.10.5
  • Windows target: 10.10.10.10
  • Domain controller (optional): 10.10.10.1

Step 2: Monitoring Stack

Set up monitoring before you generate any payloads. The telemetry is the entire point.

On your Windows target(s):

  • Install Sysmon with a tuned configuration
  • Enable PowerShell script block logging (Group Policy → Administrative Templates → Windows Components → Windows PowerShell)
  • Enable process creation auditing (Event ID 4688 with command-line logging)
  • If available, install your organization's EDR agent in audit/passive mode

On your attack host or a separate monitoring VM:

  • Set up a log collector (ELK stack, Splunk Free, or even just Windows Event Forwarding to a central collector)

This takes more time than generating the payload, but it is the step that makes everything else valuable.

Step 3: Framework Installation

On your attack host:

Clone the repository and run the setup. The framework requires Python 3 and several dependencies. On Kali Linux, most prerequisites are pre-installed.

Verify the installation by launching the interactive menu. You should see the module selection interface listing available payload types.

Step 4: Your First Payload

For a first test, start with a simple Python-based payload:

  1. Launch the framework and select the Evasion module
  2. Browse the available payload types
  3. Select a Python-based payload (these are simpler to analyze)
  4. Accept the default options for your first run
  5. Note the output file path

The framework generates the payload and saves it to your output directory. Before moving it to your target, ensure your monitoring is active and capturing events.

Step 5: Deployment and Analysis

Transfer the generated file to your target VM (use a shared folder or SCP — not email or cloud storage). Execute it and observe:

  • On the target: Does your AV/EDR flag it? Does it execute? What processes spawn?
  • In your logs: What events did Sysmon capture? What PowerShell events fired? What network connections appeared?
  • In your SIEM/collector: Can you build a timeline of the execution from log data alone?

The answers to these questions are the deliverable of evasion testing. Whether the payload "worked" is secondary to whether your detection stack saw it happen.

Next Steps

Once you are comfortable with the basic workflow: