Automate Investigations with Maltego Machines – Part 2: Our New Cybersec & SOCMINT Machines

In Part 1, we introduced the handy Maltego automation feature known as Machines, and how to use them to further accelerate your investigations.

Today, we are happy to announce the release of a new set of Machines designed for cybersecurity and social media investigations.

Maltego Machines: A Blog Series 🔗︎

What are Maltego Machines? As a built-in feature in Maltego to automate standard or repetitive investigative steps, Maltego Machines allow users to speed through the process of data collection so they can allocate more time to analyzing an automatically populated graph.

In this release, we are launching 7 new Maltego Machines, each using a combination of various data integrations. Built according to standard and common workflows, these Machines allow you to quickly gather fundamental data points—with only a few clicks on your mouse—at the start of your investigations. Studying these Machines also enables you to understand the best practices and typical investigative steps.
Here is the full list of the new Machines categorized by investigation types:

Machines for Cybersecurity Investigations 🔗︎

Machines for Cybercrime Investigations 🔗︎

Machines for Social Media & Person-of-Interest Investigations 🔗︎

In this article, we will go through each Machine, its function, and how to best use them as part of your investigative workflows.

For a full technical overview of the Machines, please download this PDF guide.

How to Install & Use the New Machines 🔗︎

To start using these new Machines, simply install the Machines for Cyber Security Operations, Machines for Trust and Safety or Machines for Government Hub Items on your Maltego Desktop Client, and make sure you have access to the respective Hub items they use. The Hub Items used are detailed in each Machine’s description, and their respective Hub Item’s Details.

Intelligence Gathering L1 – Hashes [OSINT, Splunk] 🔗︎

The Intelligence Gathering L1 – Hashes [OSINT, Splunk] Machine supports basic intelligence gathering on Hash Entities and Splunk validation. The starting point for an investigation with this Machine is a maltego.Hash Entity.

This Machine is available for users who have integrated their Splunk instances to Maltego. Please make sure to install the required Hub items:

This Machine is essential for SOC teams looking to reduce the amount of time required to enrich information associated with malware hashes—infrastructure information such as C2 domains, URLs, IP addresses, file names, and more—while, at the same time, comparing these findings against their Splunk instance, giving them an edge when fighting malware infections.

Intelligence Gathering L2 – Hashes [OSINT, Splunk] 🔗︎

Going one level deeper than the L1 Machines, the Intelligence Gathering L2 – Hashes [OSINT, Splunk] Machine leverages the following Hub items on top of the ones used by the Intelligence Gathering L1 – Hashes [OSINT, Splunk] Machine:

While the L1 Machine focuses on providing the first level of information about the hashes and files, this L2 Machine checks for the associated infrastructure as well as checking the data against your Splunk instances.
Start your investigations by running this Machine on a maltego.Hash Entity.

Identify Relevant Threat Actors [Intel 471] 🔗︎

The Identify Relevant Threat Actors [Intel 471] Machine queries the Intel 471 underground dataset to identify threat actors who have authored posts mentioning specific keywords. As such, the starting point for this Machine is a maltego.Phrase Entity.

This Machine is of great help for threat intelligence analysts, government investigators, journalists, and security researchers looking to gain additional insights from conversations taking place on dark web forums.

This Machine is only available to those with access to the Intel 471 (Enterprise) Hub item either via a data subscription or an API key.

Identify Relevant Forum Threads [Intel 471] 🔗︎

As its name states, the Identify Relevant Forum Threads [Intel 471] Machine identifies forum threads mentioning a keyword as well as the corresponding thread authors, using Intel 471 Transforms. Similar to the previous Machine, the starting point to an investigation requires a maltego.Phrase Entity.

This Machine identifies dark web forum thread topics as well as the threat actors behind the conversations.
This Machine is available for those who have access to the Intel 471 (Enterprise) Hub item either via a data subscription or an API key.

Using the Maltego Standard Transforms and Social Links CE Transforms, the Basic Digital Footprint [OSINT] Machine maps the online footprint of a person’s name or alias. It retrieves information, including websites, social media platforms, images, locations, and potentially associated persons, organizations, and networks.
The Machine is available for free and requires no additional API keys for the Hub items involved. However, do make sure to install the Maltego Standard Transforms and TinEye Hub items before running it.

You should run this Machine on a Phrase Entity where the input value is the Person’s name or alias. During the data gathering process, the Machine will prompt you to examine the relevance of the query results to ensure high relevancy of the output delivery.

This is a perfect Machine to gain a basic, yet comprehensive overview of where a person’s name or alias has appeared on the internet, as well as what images, locations, and other individuals or organizations are associated with that name or alias.

Once the Machine is completed, you can manually pivot into infrastructure footprinting from the returned Website Entities to gather more network information or use the following two Machines to deepen your investigation.

These are a set of Machines useful to zoom in on a person’s real-life information and quickly build a profile of your person-of-interest. Each Machine in this set has a different starting Entity.

Querying the Pipl identity database, the Full Identity Footprint [Pipl] Machine retrieves the following current and historical information for an individual:

• Full Name
• Image(s)
• Physical Address(es)
• Email Address(es)
• Phone Number(s)
• Website(s) & Social Media Handle(s)
• Education and Career History
• Associate(s) & Relation(s)
• Hobbies and Interests

You can run this Machine on Person, Alias, Email and (profile) Url Entities.

This Machine is available for users who have access to the Pipl Hub item, either via a Pipl data subscription or an API key.

Deep Social Media Footprint [ShadowDragon SocialNet] 🔗︎

Utilizing the ShadowDragon SocialNet Transforms, the Deep Social Media Footprint [ShadowDragon SocialNet] Machine maps the social media footprint of a person’s name or alias. The Machine focuses on the person’s associated network of connections on Instagram and Twitter.

This Machine is available for users who have access to the ShadowDragon SocialNet Hub item via an API key, and the free Maltego Standard Transforms and Google Maps Geocoding Hub Items.

You can run this Machine on a Person Entity or an Alias Entity.

This Machine gives an extensive insight into the following social aspects of a person-of-interest:

• Whose content this person consumes via Twitter following
• Where this person visits via Instagram location sharing

Using the results of this Machine, you can run other ShadowDragon SocialNet Transforms to pivot into other parts of the social media footprinting process.

Start Using Maltego Machines to Accelerate Standard Investigative Workflows! 🔗︎

Maltego Machines are great tools to streamline and speed up complex investigations. We hope you enjoy using these new Machines as part of your investigations!

For a full technical overview of the Machines, please download this PDF guide.

Have suggestions for more useful Maltego Machines? Let us know by reaching out to support@maltego.com.

Don’t forget to follow us on Twitter and LinkedIn and sign up to our email newsletter, so you don’t miss out on updates and news!

Happy investigating!