Threat Inteliigence / OSINT / NETSEC / NATSEC

Maltego - analyzing large and small dots

In previous posts, we dealt with OSINT information gathering in various fields, this time we will look at a specific tool. Not just any tool, because it is a real combine, which greatly facilitates both data collection and its interpretation. Malt is definitely one of my favorite OSINT tools here. It combines the functions of collecting information, cataloging it and supports the analysis through the graphical representation of the results. In addition, for non-commercial purposes, it is available in the free version - Community Edition - so everyone can take advantage of its benefits. Maltym is an extensive and powerful tool, so at the beginning we will look at the basic functionalities and principles of operation.

Starting from the very beginning, the program can be downloaded from the website maltym.com, versions for Windows, Linux and Mac are available:

Naturally, you will also find the program among the software installed on Ronan.

In addition, to take advantage of the transformation, i.e. operations on objects that allow for data collection, we must register a free account here.

After installation, the first time you run, we will have to choose the type of license - here we will use the free Maltego Community Edition, and log in to the account created earlier. Finally, we will see a welcome screen where, in addition to messages from the manufacturer, we will see a list of transformations available for installation:

The basic ones are Standard Transforms CE - a set of transformations that the manufacturer provides as part of the free version, and CaseFile Entities - objects from the fully off-line version of Malta called CaseFile, the installation of which will make the graphs created in CaseFile compatible with those from Malta. As we can see, there are quite a lot of both package categories and price options. For private use, we will be interested in two categories: fully free and Free and Bring your own key. In the case of the latter category, the installation of the package is free, but to use its functionality, we will have to enter access data, such as an API key. So we can use services that also offer free accounts and have access options through third-party applications such as VirusTotal, PassiveTotal or HybridAnalysis. The possibility of collecting data from external websites is one of the biggest advantages of Malte. In this way, it can become an interface connecting many information sources and present them in a unified way - including situations where on one object, such as a domain, we can apply transformations of different suppliers, obtaining a complete picture of the situation. The very installation of packages is limited to pressing the Install button and possible login data to the website.

So now let's go to the main workbench and open an empty graph (to better illustrate the workspace, I have already provided a few example objects). To add an object, we simply drag the Entity Palette from the left area to the graph area:

The working area consists of three main parts:

  1. At the top you will find a toolbar similar to those in text editors. Here we have access to graph display functionalities, analysis (such as selecting all connections originating from a given object), grouping a large number of objects, as well as export and import functions and collaboration on one graph.
  2. The large rectangle in the center is the main working area, here we will see the effects of the transformations and machines we will use and we can manipulate the graph to analyze the information.
  3. On the left, right and at the bottom of the work area you will find auxiliary tools that help with operations on objects. And so, on the left side there is a palette of objects, and when we click on a given object below, we will see a list of transformations and machines that can be performed on it. Under the graph, in the Output window, the logs of the transformed transformations are displayed - this way we can see how many results were achieved by the transformation or whether there were any errors during its execution. Finally, on the right side there is the Overview window which shows the diagram of the whole graph - useful especially if we already have a lot of objects. In the same place, after selecting the Machines tab, we will find machine execution logs similar to those in the Output panel, but relating to machines, not individual transformations. Below, in the Detail View panel, the details of the type of object we have selected are displayed - so we can find information here, for example, whether a given object comes from the Malta package or from an external supplier. Finally, at the bottom you will also find two tabs - Property View and Hub Transforms Input. The first contains information about the object in the context of the graph, such as the number of incoming and outgoing links, and the second contains information about the variables used by transformations.

Now let's look at the types of objects, as examples I chose several objects from different categories:

Maltego is most often associated with the analysis of activity in cyberspace - fragments of graphs are very often found in threat intelligence reports, for example here in the recent Recorded Future report on China's intelligence activity. In fact, however, the range of possibilities is much wider, which I wanted to show at this point. I have divided the objects into three groups:

  1. On the left, at the top, I put the most classic and related to the analysis of network infrastructure. So here we have an IP address, domain, ASN, mail and DNS servers or objects on social networks, such as the hashtag on Twitter. Transformations on them will make it possible to detect connections between infrastructure elements, such as domains hosted on the same IP address.
  2. On the left, at the bottom, we can see elements from additional modules - from the left there is an object from Passive Total, Bitcoin and Etherum wallet addresses and a GreyNoise object. By using extensions, we will therefore be able to add information from other sources to our investigations.
  3. Finally, on the right, I have thrown some examples of elements completely unrelated to the cyber sphere. These objects are most often used by analysts dealing with more "offline" investigations and we find them installed by default in CaseFile. An analyst dealing with mapping members of terrorist groups can thus manually structure the organization using objects such as a terrorist, drug dealer, missile weapons or chemical weapons. In addition, we will find many objects related to locations such as a port, airport, prison or shop. So even if we are not benefiting from transformation due to the nature of our work, Maltym can help us as an "analyst's notebook" by visualizing the connections we have discovered from external investigations.

After getting to know the basics, let's move on to the practical use of Malte's possibilities in the field of collecting and analyzing information. As examples of data, we can use the activity indicators from the already mentioned Recorded Future report:

Objects can be added manually by dragging appropriate objects from the palette and adding values, or prepare a csv file for import:

To show how the data import and preparation process looks like, we will choose the latter option. After saving the data to a CSV file in your favorite spreadsheet, select the option of importing an external graph from the menu:

Then we select the appropriate file and the first decision we have to make is how the data from the columns are to be combined:

Since we need the usual binding of the first column to the second, we will choose manual concatenation and define the connections ourselves. Next, we have to choose the type of objects to be assigned to the columns, in my case Maltym did not specify the objects correctly, first I removed the bindings using the Unmap all option. Then I manually chose the Hash type for the first column and Domain for the second:

Then select the type of column connection, we can do it graphically by dragging the arrow from the first to the second column in the Connectivity Graph tab:

Finally, Maltego will show us some additional import options like whether to import the entire table or just selected rows, we can accept the default settings here. After importing, we will see the following graph:

As we can see the domains that appeared in taa bale several times, because it was associated with several hashes, they were automatically merged. So we can see how many malware samples are associated with a given domain. To quickly collect basic information about domains, we can use the Footprint L1 machine, which will show data about the infrastructure on which the domains are located:

As we can see, 3 of the domains have a common IP address. Continuing this thread, we can reverse the process and find other domains on the same address by transforming To DNS name from passive DNS. We will find other domains that could potentially be interesting for our search:

Now, in turn, we will try to go a different way and use the machine from PassiveTotal - again, to use these functionalities, all you need is a free account at https://community.riskiq.com and installing the package in Maltego on the startup screen.

This time, I zoomed in to a single domain as the PassiveTotal machine will provide us with much more data. First of all, we will get detailed information about the domain registration including date, country and registrant. When it comes to this data, we will often encounter data hiding behind private registration services, so we will have to bite into the data to find something interesting. My favorite tool for finding common points is the organic view, which we find in the toolbar on the left side of the workspace as the third one:

In this view, objects that were enriched with data collected in transformations become centers, with information gathered around - this way we can easily see connection points between the centers. To further emphasize the results, we can use tools that change the size of objects depending on the number of connections. And so, choosing the size according to outgoing connections, our domains will definitely come to the fore:

And if we decide on the size according to connections from various objects, the common parts of the analyzed infrastructure will become the largest:

Here, for example: the preference for using Cloudflare in building infrastructure is very clear. Now let's look at the second set of indicators we imported - malware hashes. External transformation packages that will allow you to query information about hashes in malware databases will definitely be useful. The most popular of these is by far VirusTotal. As with PassiveTotal, we can access API key as part of a free community account. So let's try to ask about hashes through VT transforms:

As you can see, Maltego found the hash associated with specific files in the VirusTotal database, now the Detail View and Property View tabs will come in handy, because there we will find the details of the object:

Searching for information about malware samples is quite an unusual situation for me personally - most often, when tracking a campaign, the process looks the other way around. From the analysis of samples, it obtains indicators such as domains or IP addresses that allow to build knowledge about the infrastructure used. However, if we start with an external report, as in this case, the important information will be whether they are in the databases at all. This will testify to the extent to which the campaign is already recognized by other researchers, and above all, it will inform us whether samples are available for collection for further analysis.

Returning to Maltego, however, let's take a look at our graph in its entirety:

Thus, using only a few tools and basic types of facilities, on the basis of data from an external report, we were able to find the characteristic features of the infrastructure used by, in this case, Chinese intelligence. Additionally, thanks to the external transformation of VirusTotal, we collected basic information about the files related to the campaign and tips for further actions - that is, we learned that samples are available in the VT database. This is obviously a fraction of Malte's capabilities, additionally focused on one of the possible areas - the analysis of cyber operations. However, I hope that I have shown the basics of working with this tool that will help in my own analyzes 🙂

One thought on “Maltego – analizując duże i małe kropki

Leave a Reply

Your email address will not be published. Required fields are marked *

en_USEnglish