Veil-PowerTools are a group of PowerShell tools that have been collected together for an offensive approach to network security. One of the tools found within Veil-PowerTools is called Veil-PowerView. These tools are used by hackers to mine for data. Once on a network a hacker may use Veil-PowerView to see where shared user access is found. The attacker would then type PS C:> Invoke-ShareFinder -Ping -CheckShareAccess -Verbose | Out-File -Encoding ascii found_shares.txt. This command queries Active Directory (AD) for all machine objects, pings each one to ensure the host is up before enumeration, checks each found share for read access, and outputs everything to found_shares.txt. The -Verbose flag gives some status output as it plows through all retrieved servers. This tool is often used to map out a network and locate where valuable data may be stored.

Another powerful tool found within Veil is called Veil-Catapult. This is a payload delivery tool that works in combination with Veil-Evasion. Veil-Catapult has various options you can set to deliver your payload. You can deliver the payload to single IPs or a list of IPs. You can also set a domain if you choose to. Veil-Catapult can upload and trigger the payload:

As you can see from the preceding screenshot, Veil-Catapult offers standalone payloads. The standalone payloads are tested and verified payloads that are proven to be effective. These payloads will often utilize a PowerShell once triggered, created from a PowerShell-injected payload generated by Veil-Evasion. Another feature of Veil-Catapult is that is comes with its own cleanup scripts to cover its tracks. The script can be run by typing the following command: ./Veil-Catapult.py -r CLEANUP_FILE. This script will kill all associated processes on infected hosts, and then delete any uploaded binaries to cover any trace of infection. Veil-Catapult goes even further in evasion than other Veil-Framework tools. It not only evades antivirus applications, but it is also able to clean up any traces of an attack. Veil-Catapult is a highly-supported project and it is continually updated with new standalone payloads to use. Hackers that use Veil-Evasion as their payload generator and Veil-Catapult as their delivery method will be extremely difficult to stop. That is why offensive security is important. As a threat hunter, you must actively search out this type of network activity and look for the signs of a pending attack. All the most successful hacking crimes that have taken place in the last twenty years have begun with some type of social engineering. If you notice your company and or its network being probed for weak points, you can most likely expect an attack to happen soon. Being able to recognize the signs of a pending attack could make the difference. It is important for anyone in cyber security to have a solid understanding of how a hacker thinks, what tools they use to attack with, how those tools work, and where the newest tools will emerge from. It is highly recommended that, as a network security professional, you familiarize yourself with the Veil-Framework and its various tools.