Skip to content

How to Execute SWELF

Jump to bottom
Ceramicskate0 edited this page May 23, 2020 · 22 revisions

Execution Method 1:

Using SWELF in a network as a forwarder (No commandline args will be accepted).

  • SWELF is designed primarily to be run as a scheduled task (But its really up to you on when and how to execute it (any autorun method for an exe file should work)) . (WHY?). This primarily avoids some security concerns, password exposure issues, UAC issues, and permission issues for me the developer and provides you the user a native way to run a exe in a high integrity context without exposing the credentials of the account running it through the application it self (assuming proper security configurations are applied to the OS). This also allow you the Admin to determine how often you want logs or the program to run without needing to configure the application. Additionally, this allow for better and easier GPO based deployments and implementations. This even allows you the admin on a Windows 10 machine the ability to forcibly deny SWELF the ability to run its Plugins via Exploit Protection.
  • Here are some wierdness with SWELF that are here by design.
    • When 1st run, if not config is present SWELF will make one and need to be run again. This gives you a chance to see what a correct config looks like and then be able to change it if needed.

Want to know how See The Docs:

Execution Method 2 :

Using as a EVTX Analyzer. (Locally As Commandline)

See The Docs:

Other Ideas

  • Well if im being totally honest. If you want to not use scheduled tasks to run SWELF thats ok. If it the first time run for the app on any machine then execute it once. It will run just enough to setup requirements and defaults. It will now be ready to run normally. CONFIGURE IT via the locally created text files and your good to go. However you do this is up to you. PSremoting,wmi,etc...
Clone this wiki locally