IMPORTANT: Maltego Machines are macros written using the Maltego Scripting Language - a custom scripting language developed to allow any user to build their own Machines.
Overview
Maltego Machines help analysts and researchers to streamline workflows and decrease the amount of manual work involved during a Maltego investigation, allowing users to speed through the process of data collection and allocate more time to analyzing an automatically populated graph.
To fully understand Maltego Machines, please read more on our website, we have put together an in-depth guide for our users in the form of a series of articles that not only explain the functionality of Machines, but also showcase their functions.
- What are Machines & How do They Automate Investigations?
- 7 New Maltego Machines for Cybersec & SOCMINT
- Automating Brand Protection and Anti-Counterfeit Analysis with Machines
- How to accelerate SOC Operations with Transforms and Machines
- Network Footprinting with Machines using Maltego
What are Maltego Machines?
Maltego Machines represent the automation of the Transform running process.
Maltego Machines are macros which can be run in Maltego Graph (Desktop) which run multiple Transforms on a data set. These macros are written using the Maltego Scripting Language—a custom scripting language developed to allow any user to create their own Machines.
Depending on the script, Machines can run Transforms both in parallel and sequentially. Users can run multiple Transforms on the same data Entity or run a series of Transforms from one data output to another—or perform both simultaneously.
Figure 1: Nodes with the same color are results of the same Transform. The number indicates the order in the Transform sequence of the Machine.
As the Machine runs, investigators can use that time for other tasks and preparation. Once the Machine is done, users will see a fully populated graph, the results of which they can begin to analyze.
By standardizing processes and implementing automations, both large investigative teams and individual analysts can allocate their time more efficiently and, thus, establish more streamlined workflows.
Maltego Machines are best used to simplify and automate repetitive or standardized investigation processes, specifically the process of data collection and data mapping.
This automation provides two main advantages, saving investigators’ time, and lowering the investigation barrier.
Machines Save Time
Let’s assume that you are a cybersecurity analyst and one of your routine tasks is to perform infrastructure footprinting to analyze and identify potential indicators of compromise (IoCs) in the organization’s network. If you must manually run over a dozen Transforms each time you create a network footprint, the task will not only become time-consuming, but tedious.
This is when Machines come in. Machines are created to automate this type of standardized processes. As the Machine does its work, investigators can utilize the time for other tasks and preparation. After the Machine has run, an investigator can come back to a fully populated graph and begin analyzing the results.
By standardizing processes and implementing automations, both large investigative teams and individual analysts can allocate their time more efficiently and establish more streamlined workflows.
Machines Lower the Barrier for Non-Technical Investigators
Another advantage that Maltego Machines provide is lowering the barrier of investigation for non-technical investigators and newcomers to the analyst profession.
It is common to have a mixture of technical and non-technical investigators with varying degrees of experience working together in analyst teams. Although Maltego is designed for all types of investigators, a fast-onboarding process depends largely on elements such as the maturity and size of the team.
By setting up Machines for standardized processes, investigation teams can ensure that their novice as well as advanced members are able to conduct important data mapping and link analysis tasks easily and independently.
Which Types of Machines are Available in Maltego?
There are three types of Machines available in Maltego Graph (Desktop):
- Pre-Installed OSINT Machines
- Third-Party Machines
- Custom Machines
Pre-Installed OSINT Machines
Maltego comes with a set of pre-installed Machines that are built with Maltego Standard Transforms. These Machines are free to use for all Maltego users and they query OSINT data to perform tasks like network footprinting.
Below, you will find a list of all Pre-Installed, Maltego OSINT Machines:
- Company Stalker
This Machine will try to get all email addresses tied to a domain and then see which resolves to social networks. It also gets documents and extracts meta data.
- Find Wikipedia Edits
This Machine takes a domain and looks for possible Wikipedia edits.
- Footprint L1
This performs a level 1 (fast, basic) footprint of a domain.
- Footprint L2
This performs a level 2 (mid) footprint of a domain.
- Footprint L3
This performs a level 3 (intense) footprint on a domain. It takes a while and eats resources. Use with care.
- Footprint XXL
This Machine is built to work on really large targets that are hosting their own infrastructure. It tries to obtain the footprint by looking at SPF records hoping for netblocks as well as reverse delegated DNS to their name servers. It is very important to look at what the userfilter is presenting you, else you will find false positives. This machine can result in massive graphs, so please 1) be patient 2) have lots of RAM.
- Person – Email Address
Tries to obtain someone's email address and sees where it's used on the Internet.
- URL to Network and Domain Information
From URL To Network and Domain Information
Third-Party Machines
Besides the pre-installed Machines, Maltego integrates with a variety of third-party free and paid data sources. Some of these data integrations—RiskIQ PassiveTotal and Farsight DNSDB, and many more—come with Machines created by the integration developers.
Users who have API keys or subscriptions to the data integrations will be able to access these Machines upon installation of the Hub items.
Below, you will find a list of all Machines from Free-Tier Data Integrations & Data Hub items:
RiskIQ PassiveTotal
- Certificate Explorer
This Machine will take an IP address as an input to quickly explore certificate connections based off of detail information and IP overlap.
- Child Pair Enrichment
This Machine will take a Domain Entity as an input and prune enrichment Transform to allow for only displaying Tags.
- Domain Analysis
This Machine will pull all relevant information from PassiveTotal about a given domain.
- [PT] Get Dynamic Status
- [PT] Get Whois Details
- [PT] Get Passive DNS
- [PT] Get Subdomains
- Domain Explorer
Pulls all relevant information from PassiveTotal about a given domain and all second order connections.
- Google Tracker ID Enrichment
Quickly enriches domain associations from Google Tracker IDs.
- IP Analyzer
Brings together PassiveDNS, Certificate SSL Certificate, and Enrichment data for a single IP address.
- IP Explorer
Rapidly build out second order connections and enrichment data for a given IP address.
- Parent Pair Enrichment
Gets Parent Pair associations for a domain, enriches the domains, and prunes unwanted Entities.
- SSL Enrichment
Takes SSL Cert Hash, gets all IP address associations, IP to associations, enriches all entities, and prunes unnecessary results.
TinEye
- To Similar Images and To Pages
Executes To similar pages and To pages linking to image TinEye Transforms.
ATT&CK – MISP
- MISP Event to All
Automatically expands MISP Objects to their attributes.
- To Attribute & Object Attributes
Also automatically expands MISP Objects to their attributes.
Have I Been Pwned?
- @haveibeenpwned v3 Alias
Checks to see whether an alias has been listed as breached by @haveibeenpwned API v3.
- @haveibeenpwned v3 Email Address
Checks to see whether an e-mail address has been listed as breached by @haveibeenpwned API v3.
- @haveibeenpwned v5 Pwned Password
Finds the k-anonymity of "Pwned Passwords" v5.
Farsight DNSDB
- DNSDB Enumerate Domain
Takes a domain Entity, pulls all known hostnames, MX, NS, TXT, grabs IPs for *.domain -> Netblocks -> ASN.
Custom Machines
Finally, Maltego allows users to create their own Machines. With just a few lines of code, investigators can easily build Machines for their standardized investigative processes.