Maltego OSINT Tool Intro

Maltego is a tool for OSINT and visual link analysis. It can pull data from multiple sources to explore the properties of entities and the relationships between them. It’s useful for cyber threat intel analysts, OSINT analysts, and other infosec pros.

The list of entities Maltego can work with includes company, CVE, device, DNS record, domain, email address, file, hash, image, IP address, location, organization, phone number, phrase, port, URL, website, and more.

Maltego graph

The free transforms (data sources) include STIX 2 Utilities, Abuse.ch URLhaus, AlienVault OTX, ATT&CK — MISP, GreyNoise Community, Have I Been Pwned?, OpenCTI, VirusTotal (Public API), and more.

The paid transforms include Cisco Threat Grid, Cofense Intelligence, CrowdStrike Intel and ThreatGraph, Digital Shadows, DomainTools Enterprise and Iris, Mandiant, Flashpoint, Intel 471 Enterprise and Pro, Recorded Future, Shodan, ThreatConnect, ZeroFOX Transforms, and more.

Maltego CE Transform Hub

Maltego Setup

1. Download Maltego.
2. Install Java if it’s not already installed.
3. Run Maltego. Choose a Maltego product/edition. You can start with the free Community Edition (CE). Here’s a comparison of the products.
4. Install additional transforms as needed (Transforms tab > Transform Hub). You can see details there, and on the Maltego site.
5. Hit Cmd/Ctrl + T to create a new graph. Use the Entity Palette on the left to add entities to the graph.

To learn more about what you can do with Maltego, see the resources below.

Additional Resources

Maltego Learning & Training

How to Conduct Person of Interest Investigations Using OSINT & Maltego

Investigating TA413 Threat Actor Group Using OpenCTI in Maltego

Chasing DarkSide Affiliates: Identifying Threat Actors Connected to Darkside Ransomware Using…

Getting Started with Maltego

Maltego documentation

Maltego Handbook for Cyber Threat Intelligence