With the launch of our updated Maltego transform set three weeks ago, PassiveTotal made even more of our functionality and data available to the Maltego community. With this new functionality came a significant increase in the number of transforms available for querying the PassiveTotal platform and while we all know more is better, it can be cumbersome to sift through all the transform options available.
In an effort to aid our analyst community we have developed Maltego machines that can assist in analysis and bring that single aggregated infrastructure view into our transform set. These machines seek to replicate the single query functionality that users have come to expect from the PassiveTotal platform within a Maltego graph.
What are Maltego Machines?
Maltego machines are scripts that allow analysts to automatically run transforms based on criteria specified by the developer. Machines can run transforms in one of two way:
- Sequential - transforms output is piped into the next transforms to quickly build a graph based on multiple entities
- Parallel - multiple transforms are run against an initial input to pull as much data as possible together about a single entity
Analyze and Explore
For this release of PassiveTotal machines, we have two separate use cases - the concept of quick analysis and large data set exploration.
The purpose of our analyze machines is to provide a quick ability to bring all relevant data for a single entity into a graph. When using our transforms, we often found ourselves starting with an unknown data point where we wanted to find as much data as possible. This would require us right clicking on the same entity multiple times in order to get exactly what we wanted. We have developed analyze machines to query a domain, IP address, or SSL certificate.
For example, the PassiveTotal IP Analyze machine runs multiple queries against the PassiveTotal dataset for a single IP address. As the image below shows, this machine brings together passive DNS resolution information, malware associations, open source intelligence, and SSL certificate associations. Theres no need to continuously right-click on the same entity and find the exact transform; one click and we have everything we need to begin our investigation.
Our Explorer machines allow analysts to quickly pull second order associations for entities of interest into a graph with minimal effort. In our blog post "Harnessing SSL Certificates Using Infrastructure Chaining", we showed how analysts could track the Turla actors using shared certificate connections. Using our Certificate Explorer machine, you can easily replicate our analysis process with the press of a button.
With one query, we bring together certificate associations to the IP address in question, passive SSL for the certificates in question, passive DNS, and OSINT associations. This process ultimately builds out a large data cluster, which once sorted, allows an analysts quickly identify the outlying connections as new possible Turla domains.
Both our analyzer and explorer machines seek to make investigations in Maltego easier for our user community and save analysts time by reducing the amount of manual pivoting that must be done when researching a suspicious entity.
Bring on the Machines
So, how can you put these robots to work immediately? Great question - we are making these machines available in our PassiveTotal Github account. To add them to your Maltego instance, simply go to the machine tab and click the Manage Machines button.
From here you can manage all machines configured in your maltego instance. You can add, delete, update, and disable machines as you wish.
Clicking on the green plus icon on the left-hand corner of the window will begin the wizard process for adding a new machine. Fill out the details for the machine with whatever you would like and then click next. On the next screen, you will need to select the type of machine being added. All of the PassiveTotal machines are the first category, macro, and will simply run a series of actions on the input specified.
The last step in the process is to copy the specific PassiveTotal machine you would like to install and paste it into the machine editor window. Once complete, click save and you are all set. If you are interested in running the machine, you can do so by clicking Run Machine from the toolbar menu. This will prompt for your starting input and then execute the defined macro.
As we continue to identify new use cases and research processes for our transform set we will make additional machines available. In the meantime, if you have an idea for a machine, let us know!
The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need
Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evo...