IIMQL is a read-only query language for IIM chains, patterns and feeds. It turns infrastructure questions into compact queries: roles, relations, techniques, entities, confidence and chain shape in one place.
Show chains where a geofenced entry path eventually lands in a payload that talks to a domain-rotation or dynamic-DNS C2.
IOC feeds can tell you whether a domain, IP or hash was seen before. IIMQL is for the next question: how does this thing sit inside an operation? Is it an entry, a redirector, a staging host, a payload, or a C2 node? Which relation connects it to the rest of the chain?
Every chain library eventually turns into one-off scripts. Find me all C2 domains with dynamic DNS. Find chains that use archive delivery. Find two redirectors before staging. Repeat forever.
IIM already models adversary infrastructure as chains and patterns. IIMQL makes that model searchable without throwing analysts back into Python for every structural question.
ATT&CK describes behavior. IIM describes infrastructure. IIMQL queries the infrastructure side: hosting, routing, resolution, gating and composition.
The public-facing mental model can stay simple: pick what you want to match, optionally filter it, then return the fields you care about.
Most day-to-day IIMQL queries follow one shape: MATCH target, then optional WHERE, then optional RETURN. The target can be a whole chain, a flattened object, or a graph pattern.
Use simple targets when you do not need a chain shape. This is perfect for listing all C2 positions, searching domain entities, or finding a specific relation type across a corpus.
Filter by actor, confidence, source, review status or metadata.
Find entries, redirectors, staging nodes, payloads or C2 positions.
Search URLs, domains, IPs, files, hashes, certificates and related values.
Find download, redirect, drops, execute, connect and resolution relations.
This is the interesting part. Nodes are written as roles, optionally with aliases. Edges can be untyped arrows or typed relations. The result is a structural question over IIM chains.
Aliases like e, s, p and c can be used later in WHERE or RETURN.
Filters cover the basics: equality, ordering, regex, membership, substring matching, boolean logic and grouping. For analyst use, the most important operators are usually HAS, IN, regex and boolean combinations.
=!=<><=>=Useful for confidence, sequence order, counts and metadata.
HASINNOT INQuery technique arrays, confidence sets, actor IDs and role lists.
CONTAINS=~!~Substring and regex matching for domains, URLs and file names.
ANDORNOTCombine shape and property constraints without script glue.
Omit RETURN for a readable summary. Add one field for scalar output, or multiple fields for structured rows. Qualified field names make complex results clear.
IIMQL is structural, not fuzzy. A pattern only matches when the relation exists in the chain. Missing fields do not magically become false. String comparisons are case-sensitive because IIM values are not normalized by default.
Keep the homepage practical. People should be able to copy one example, understand the moving parts and then leave for the repository when they need the formal grammar.
This is intentionally not a full parser in the browser. It is a documentation-friendly example switcher: select a query, read what it means, copy it into the CLI or later wire this up against a hosted API.
The CLI is designed for local chain folders, JSON output and quick analyst pivots. The Python API exists for tools that want IIMQL as an embedded query layer.
Install the package, point it at a directory of IIM chains, and run inline queries or query files.
Parse once, execute many times, or use the one-liner helper when embedding IIMQL into Kraken, Workbench tooling or another local pipeline.