Maltego Machines help analysts and researchers to streamline workflows and decrease the amount of manual work involved during a Maltego investigation, allowing users to speed through the process of data collection and allocate more time to analyzing an automatically populated graph.
To fully understand Maltego Machines, please read more on our website, we have put together an in-depth guide for our users in the form of a series of articles that not only explain the functionality of Machines, but also showcase their functions.
- Part 1: What are Machines & How do They Automate Investigations?
- Part 2: 7 New Maltego Machines for Cybersec & SOCMINT
- Part 3: An Overview of Pre-Installed OSINT Machines in Maltego (Coming soon!)
- Part 4: How to Write and Create Your Own Maltego Machines (Coming soon!)
What are Maltego Machines?
Maltego Machines represent the automation of the Transform running process.
Maltego Machines are macros in the Maltego Desktop Client that run multiple Transforms on a data set. These macros are written using the Maltego Scripting Language—a custom scripting language developed to allow any user to create their own Machines.
Depending on the script, Machines can run Transforms both in parallel and sequentially. Users can run multiple Transforms on the same data Entity or run a series of Transforms from one data output to another—or perform both simultaneously.
Figure 1: Nodes with the same color are results of the same Transform. The number indicates the order
in the Transform sequence of the Machine.
As the Machine runs, investigators can use that time for other tasks and preparation. Once the Machine is done, users will see a fully populated graph, the results of which they can begin to analyze.
By standardizing processes and implementing automations, both large investigative teams and individual analysts can allocate their time more efficiently and, thus, establish more streamlined workflows.
Maltego Machines are best used to simplify and automate repetitive or standardized investigation processes, specifically the process of data collection and data mapping.
This automation provides two main advantages, saving investigators’ time, and lowering the investigation barrier.
Machines Save Time
Let’s assume that you are a cybersecurity analyst and one of your routine tasks is to perform infrastructure footprinting to analyze and identify potential indicators of compromise (IoCs) in the organization’s network. If you must manually run over a dozen Transforms each time you create a network footprint, the task will not only become time-consuming, but tedious.
This is when Machines come in. Machines are created to automate this type of standardized processes. As the Machine does its work, investigators can utilize the time for other tasks and preparation. After the Machine is done, an investigator can come back to a fully populated graph and begin analyzing the results.
By standardizing processes and implementing automations, both large investigative teams and individual analysts can allocate their time more efficiently and establish more streamlined workflows.
Machines Lower the Barrier for Non-Technical Investigators
Another advantage that Maltego Machines provide is lowering the barrier of investigation for non-technical investigators and newcomers to the analyst profession.
It is common to have a mixture of technical and non-technical investigators with varying degrees of experience working together in analyst teams. Although Maltego is designed for all types of investigators, a fast-onboarding process depends largely on elements such as the maturity and size of the team.
By setting up Machines for standardized processes, investigation teams can ensure that their novice as well as advanced members are able to conduct important data mapping and link analysis tasks easily and independently.
Maltego Enterprise Machines
Read our documentation page on Maltego Enterprise Machines for a comprehensive overview as well as a list of Maltego Machines exclusively available to Maltego Enterprise users.
Built according to standard and common workflows used in cybersecurity, cybercriminal, and social media investigations, these Enterprise Machines allow investigators to quickly gather fundamental data points, thus finishing the groundwork of their investigations in a few clicks.
Which Types of Machines are Available in Maltego?
There are three types of Machines available in the Maltego Desktop Client:
- Pre-Installed OSINT Machines
- Third-Party Machines
- Custom Machines
Pre-Installed OSINT Machines
Maltego comes with a set of pre-installed Machines that are built with Maltego Standard Transforms. These Machines are free to use for all Maltego users and they query OSINT data to perform tasks like network footprinting.
Below, you will find a list of all Pre-Installed, Maltego OSINT Machines:
- Company Stalker
This Machine will try to get all email addresses tied to a domain and then see which resolves to social networks. It also gets documents and extracts meta data.
- Find Wikipedia Edits
This Machine takes a domain and looks for possible Wikipedia edits.
- Footprint L1
This performs a level 1 (fast, basic) footprint of a domain.
- Footprint L2
This performs a level 2 (mid) footprint of a domain.
- Footprint L3
This performs a level 3 (intense) footprint on a domain. It takes a while and eats resources. Use with care.
- Footprint XXL
This Machine is built to work on really large targets that are hosting their own infrastructure. It attempts to obtain the footprint by looking at SPF records hoping for netblocks as well as reverse delegated DNS to their name servers. It is very important to look at what the user-filter is presenting to you, or else you will retrieve false positives. This Machine can result in massive graphs, so please be patient, and ensure you have plenty of RAM.
- Person – Email Address
Tries to obtain someone's email address and sees where it's used on the Internet.
- URL to Network and Domain Information
- From URL To Network And Domain Information.
Besides the pre-installed Machines, Maltego integrates with a variety of third-party free and paid data sources. Some of these data integrations—RiskIQ PassiveTotal and Farsight DNSDB, and many more—come with Machines created by the integration developers.
Users who have API keys or subscriptions to the data integrations will be able to access these Machines upon installation of the Hub items.
Below, you will find a list of all Machines from Free-Tier Data Integrations & Transform Hub items:
- Certificate Explorer
This Machine will take an IP address as an input to quickly explore certificate connections based off of detail information and IP overlap.
- Child Pair Enrichment
This Machine will take a Domain Entity as an input and prune enrichment Transform to allow for only displaying Tags.
- Domain Analysis
This Machine will pull all relevant information from PassiveTotal about a given domain.
- [PT] Get Dynamic Status
- [PT] Get Whois Details
- [PT] Get Passive DNS
- [PT] Get Subdomains
- Domain Explorer
Pulls all relevant information from PassiveTotal about a given domain and all second order connections.
- Google Tracker ID Enrichment
Quickly enriches domain associations from Google Tracker IDs.
- IP Analyzer
Brings together PassiveDNS, Certificate SSL Certificate, and Enrichment data for a single IP address.
- IP Explorer
Rapidly build out second order connections and enrichment data for a given IP address.
- Parent Pair Enrichment
Gets Parent Pair associations for a domain, enriches the domains, and prunes unwanted Entities.
- SSL Enrichment
Takes SSL Cert Hash, gets all IP address associations, IP to associations, enriches all entities, and prunes unnecessary results.
- To Similar Images and To Pages
Executes To similar pages and To pages linking to image TinEye Transforms.
ATT&CK – MISP
- MISP Event to All
Automatically expands MISP Objects to their attributes.
- To Attribute & Object Attributes
Also automatically expands MISP Objects to their attributes.
Have I Been Pwned?
- @haveibeenpwned v3 Alias
Checks to see whether an alias has been listed as breached by @haveibeenpwned API v3.
- @haveibeenpwned v3 Email Address
Checks to see whether an e-mail address has been listed as breached by @haveibeenpwned API v3.
- @haveibeenpwned v5 Pwned Password
Finds the k-anonymity of "Pwned Passwords" v5.
- DNSDB Enumerate Domain
Takes a domain Entity, pulls all known hostnames, MX, NS, TXT, grabs IPs for *.domain -> Netblocks -> ASN.
Finally, Maltego allows users to create their own Machines. With just a few lines of code, investigators can easily build Machines for their standardized investigative processes.