Skip to main content

A Step Towards Stealth Mode


During an investigation, it is often important to ensure that whatever you do, you do not “touch” the target. For example, if you are investigating a particular server, you do not want to leave a trace in the traffic logs that you were there.

It is sometimes enough if it is just not known that you were there, in other words that traffic originated from your network. Other times it would be preferable if nobody was there, for example if the URL was embedded in Malware and acts as a kill-switch of some description (https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/).

In general, the Maltego client does not contact any servers directly, and only via the transform servers such as the CTAS. One exception to this is when icons are fetched by the client itself to show on the graph, such as with the Image entity loading a preview of a URL, and more recently with the Overlay icons introduced in the previous release. This includes the Favicon overlay of the default Website entity.

It was always possible to disable this in the Options of Maltego, but in Maltego 4.2.3 we have now made it easier to find, right next to the ‘Number of Results’ slider in the ribbon:


Additionally, during the initial configuration after a new install, Maltego will now ask you what privacy mode you would prefer, with a description of each:


In the future, we plan to expand this feature further by introducing a Super Stealth mode, where we will enforce the behaviour on the transforms as well. This will require transforms to indicate whether they touch the system being investigated or are simply pulling the data from a pacified source.

Happy sleuthing!