Georgi Nikolov

New ways to run Kali Linux on Windows using WSL

Some time ago I wrote a blog about Installing Linux Bash Shell (and Metasploit) on Windows 10. This is great, when we want to enjoy the best of both worlds- keep using Windows, with its out-of-the-box configuration and set-up, and still be able to use the powerful tools available for the Linux distribution. In my previous blog I went through the steps necessary for setting up WSL and installing an Ubuntu and Kali Linux distribution. Since then, a lot of advancements have been made to facilitate the use of these distributions for Windows Users.

Read more
MARk: Visualizations with D3.js

Detecting suspicious or malicious activity in a network is not a trivial task. In recent years the attacks perpetrated have grown in sophistication and frequency. For this reason a new detection tool was developed, in the form of the Multi Agent Ranking framework (MARk). MARk sets the groundwork for the implementation of large scale detection and ranking systems through the implementation of a distributed storage in conjuncture with highly specialized, stand-alone detector agents. The detector agents are responsible for analyzing specific predefined characteristics and producing a report of any suspicious activity encountered.

Read more
Running and Imaging with FTK Imager from a flash device

In the process of analyzing a suspicious machine, the first thing we need to do is to actually image the machine we want to investigate. There are different tools available to do this, but the one I most often use is FTK Imager by AccessData. The FTK Imager tool is easy to use and more importantly, there is a free version.

Read more
Fixing "[circuit_breaking_exception] [parent] Data too large, data for [<http_request>]" ELK Stack error

Recently I have encountered an error I wasn't too familiar with how to resolve, working with the ELK Stack. This specific error is the "[circuit_breaking_exception] [parent] Data too large, data for [<http_request>]". It is not directly visible where the error originates from, but with some sleuthing I discovered that it is caused by Elasticsearch preventing some requests from executing to avoid possible out of memory errors, as detailed in Elasticsearch Circuit Breaker documentation.

Read more
What is Obsidian.md and why you should use it

In everyday life we need to constantly keep ourselves reminded of important information. Some people write this information on post-it notes, notebooks or using programs such as Microsoft Word or Google Notes. The problem is, that information is in itself transitive- one piece of data or a note can lead to another one and it can become cumbersome and difficult to follow the trail of information. Our brain works the same way, usually we store information by association- to remember a fact, we try to think, for example, of where we learned the fact, or who told it to us, and follow the links to the information we try to remember.

Read more
Collecting data with Filebeat

In modern network infrastructures, there are a lot of sources of data, that can be of interest for collection and analysis, to see if possible suspicious activity is present in the network. More often than not, this data is collected and send to a Security Information and Event Management (SIEM) tool, running on the network, where it can be processed and reviewed by domain specialists.

Read more
The ELK Stack and how to use it

Managing big networks can be quite complicated- many inbound and outbound requests, network traffic, email correspondence and other activities that need to be monitored. It is quite easy for an attacker to obfuscate his actions, when we are confronted with large amounts of network data to analyze. Luckily there are ways to aggregate all this data and store it so it can be reviewed and hopefully discover any abnormal activity. Of course, I am talking about the use of a Security Information and Event Management (SIEM) framework. One such framework that has gained a lot of popularity, because of its modularity and open-source nature, is the ElasticSearch/Logstash/Kibana framework.

Read more
Optimizing and compressing your Windows Virtual Machine

As I mentioned in the previous blog posts on the subject of the GHOSTS framework, I often use virtual machines to set up and run my tests. In the case of GHOSTS, i have the main GHOSTS server API running on a Linux VM with docker and docker-compose, and the GHOSTS client is running on a Windows 10 virtual machine. If you are interested to read about it, you can find the previous blogs at the following links:

Read more
Installing Linux Bash Shell (and Metasploit) on Windows 10

For years, there has been an OS war between Linux, Windows and macOS for dominance. Each side would vehemently defend their OS of choice and disregard any positive sides of their "opponents". Of course, each operating system has its benefits and drawbacks and it is not my job or place to say which is the best.

Read more
Setting up a watering hole attack with metasploit

In recent years we have witnessed multiple organised attacks against countries and companies using malicious code that was distributed via a legitimate website. These types of attacks are called "watering hole attacks" as they target well known and used websites and compromising them. You could compare this to dumping poison or other dangerous chemicals in a pond or well, where your intentions are to target any and all that use that source. One of the more famous such attacks was the CCleaner Watering Hole attack, which used the well-known tool CCleaner to distribute its malicious code.

Read more
Simulate user activity with the GHOSTS framework: Client set-up and Timelines

In part I of our look into the GHOSTS framework, we managed to set up the GHOSTS servers on our computer and connect a simple Windows VM, running the client code, to the GHOSTS API server. The next step is to configure properly our Windows Client to simulate the activity of a real user. To do that we will set up multiple programs and tools that can be run automatically and define their behaviour.

Read more