Internal docs

IIMQL without the headache.

IIMQL is the query layer for IIM chains. Plain text is fine for quick pivots. IIMQL is what you use when you want to ask questions about roles, relations, entities, techniques, and chain layouts instead of digging through another indicator bucket like it is 2014.

Back to search IIMQL project

What IIMQL searches

The search page reads published IIM chains from the configured Mantis abyss.db. A chain is treated as a structured document: it has metadata, positions, entities, relations, techniques, and source context. IIMQL runs against that structure.

This matters because infrastructure intelligence is rarely useful as a flat list. A domain can be entry, redirector, staging, C2, noise, or a compromised third-party site. IIMQL lets you search the role and the relation, not just the string.

Plain text mode

If the query does not start with MATCH, the search runs as a broad text pivot. Use it for actor names, domains, URLs, tags, campaign names, malware family names, hosting hints, or quick “do we have this?” checks.

Gamaredon
workers.dev
GraphWorm
IIM-T010

IIMQL mode

If the query starts with MATCH, the IIMQL parser is used. That lets you search structured objects such as chains, positions, entities, relations, and graph patterns.

MATCH chain
MATCH position WHERE role = "c2"
MATCH entity WHERE type = "domain"

The mental model

chainOne published IIM infrastructure chain. Usually actor/campaign scoped.

positionA role inside the chain, for example entry, redirector, staging, payload, or c2.

entityThe actual observable object: domain, URL, IP, hash, file, service, or similar.

relationThe connection between objects: redirects_to, hosts, drops, downloads, communicates_with, resolves_to.

The useful thing is the combination. evil.example as a string is nice. evil.example as an entry node that redirects to staging, which drops a payload that talks to C2, is actual context.

Basic syntax

Most useful queries follow this shape:

MATCH target WHERE condition RETURN fields

WHERE and RETURN are optional. Start broad, then narrow down. Yes, like normal search, just with fewer vibes and more structure.

MATCH chainFind whole chains.

MATCH positionFind role positions inside chains.

MATCH entityFind observable entities.

MATCH relationFind relations between infrastructure objects.

MATCH (:entry)-->(:staging)Find a graph pattern.

Operators

Useful filters:

=      exact match
!=     not equal
CONTAINS substring match
HAS    list contains value
=~     regex match
AND    combine filters
OR     alternative filters
NOT    negate filter

Fields you will use a lot

chain.chain_id
chain.title
chain.actor_id
chain.technique_ids
position.role
entity.type
entity.value
relation.type

Exact availability depends on the chain content. Public feed quality matters here. Garbage in, weird query results out. Shocking.

Why many chains matter

One chain explains one operation. Ten chains are useful context. A hundred chains start becoming a corpus. That is where IIMQL gets interesting, because you can stop asking “have we seen this IOC?” and start asking “have we seen this infrastructure pattern?”

The next logical step is an IIMQL search tool that can query across enough public feed data to find repeated layouts, actor-specific infrastructure habits, staging patterns, redirect chains, C2 exposure patterns, and technique combinations. This page is the first useful layer for that. More later, once the corpus is large enough to make the queries worth it.

Examples