You have been redirected from paterva.com. Maltego.com is the new home for all information regarding Maltego products. Read more about this in a message from the Paterva team and in this blog post and FAQ. close

Automating Brand Protection and Anti-Counterfeit Analysis with Machines

When conducting an investigation with Maltego, investigators execute various Transforms in sequence and use the results of those Transforms as input to the next. This process is potentially repeated for many different investigations.

Methodizing these processes can be hugely beneficial and timesaving. Maltego makes this achievable through automation using Machines. Machines make it possible to repeat a pattern of Transforms as if you were operating the tool itself.

For this example investigation, we will need to have the following Hub Items installed:

  1. Install Maltego Standard Transforms

    Maltego Standard Transforms Hub item

  2. Install SSL Certificate Transforms

    SSL Certificate Transforms in Maltego

For our use case, a threat analyst for a multinational organization wishes to periodically conduct brand protection investigation on the corporate top-level domain (TLD), as well as identify potentially forgotten domains. We will use PayPal as an example. The Machine will automate these investigative processes:

  1. Determine the TLDswith “Paypal” as the hostname
  2. Determine which of these belong to Paypal
  3. Determine if there are any unused www DNS names

Using Maltego we can execute different Transforms to accomplish one aim. Starting with a “paypal.com” Domain Entity, we run the Transform “To Domain [Find other TLDs]”.

Image 3

The Transform looks up domains observed on the internet with the same hostname but different TLDs such as paypal.me, paypal.tk, etc.

Image 4

We can look at the DNS record to check if there are “www” (i.e. websites) associated with the domain, using the “To Website [Quick lookup]” Transform. This helps to identify which of these could be parked or cybersquatting.

Now that we have an overview of the “PayPal” Websites online, let’s run “To Certificate” from the SSL Certificate Transforms hub item on each Website to query the live SSL Certificates currently in use. Note: This Transform connects to the website and conducts a TLS handshake.

SSL certificates are a great way to determine the Domain under the control of a single organization.

Image 5

The resulting Graph shows 28 “PayPal” Domains that use the same Digicert EV certificate. 48 other Website Entities do not have SSL certificates, and other which use free SSL certificates such as Let’s Encrypt. With these results an analyst can then quickly focus on certain websites for further investigation.

Let us automate the investigation process with a Machine

To create a new Machine, select the “New Machine” option under the Machines tab.

Image 6

Give the Machine a name, unique ID and some additional information about what it does.

Image 7

We are going to create a “Macro” Machine, which essentially means it will run only once when executed. Alternatively, a “Timed Machine” can be used to automatically run periodically, but we will leave that for a future example.

Image 8

Once the Machine Metadata is input, the Machine Editor will be shown as below.

Image 9

A Machine is written using the Maltego Scripting Language (MSL). The header contains metadata about the Machine, and the content of the Machine is enclosed in a “start {}” brace.

The Machine is initialized with some boilerplate code to get you started. Let us start by removing the two example Transforms from the autogenerated code.

Remember we want to automate the following sequence of Transforms.

Domain name -> Other TLDs -> Website -> Certificates

This is the sequence of Transforms that we used, each time using the results from the previous Transform to run the next one with: Machines use Transform IDs to determine the Transform to run. To find out the ID, we make use of the right-side pane of the Machine Editor. Here we can filter Transforms by Input Entity type and select them from the Seeds installed in the Hub. To add the Transform to the Machine, we double-click the Transform to add it to the Machine where the cursor is.

Using this technique, lets add the Transforms we used in the graph above to our Machine. We know we want to start with a domain, so set the “Filter by Input” field to Domain. Find the “To Other Domains [TLDs]” Transform in the list on the right, under the Paterva Public Transform server.

Image 10

Let’s do the same with the other Transforms, To Website [Quick Lookup] and then change the Filter by Input to Website and also add To Certificate Transform. The “start {}” code block should look as follows:

Image 11

This is all that is required for this simple Machine. Before clicking Save, test the code to check if it compiles.

Image 12

If the we see “success”, we now have a working Machine. Click Save, close the Machine Editor, and open a new graph.

The Machine will work on the input Entity of the first Transform in the macro, so we add a Domain Entity to our new graph. Since we did not specify the slider value in the machine itself (see the docs for tips on how to do that), you need to set the Slider to an appropriate value.

Right-click the domain, select Machines, and run the Machine we set in the metadata.

Image 13

Et voilà!

You will notice the Machine will execute the Transforms in sequence, resulting in the graph below.

Image 14

Open a new graph and try the Machine with a different Domain Entity such as “amazon[dot]com”.

We have shown how it is possible to automate Transforms and thereby reduce the work that is required to be done by investigators. This Machine was used as an example use case. Any custom Transforms that you have can also be used within Machines. For more information about Machines and other Maltego product features, read our documentation.

To stay up to date with other cool use cases, product updates and Maltego events, follow us on Twitter or LinkedIn. If you have questions, requests, or use cases you’d like to share, we would love to hear from you on Twitter!

Pick the right product and get started.