1E Explorer TachyonCore product pack
Classic Product Pack used to create the 1E Explorer TachyonCore instruction set that includes instructions for Tagging and Quarantine.
Please refer to:
-
Creating the Tags instruction set for steps required to upload this product pack and create the Tags instruction set.
-
Tagging client devices for details on setting, deleting, querying and using tags.
-
1E Quarantine for guidance on using the quarantine device instructions.
Instructions
|
Instruction text (ReadablePayload) |
Type |
Description |
Instruction file name |
Version |
|---|---|---|---|---|
|
Add <action> action Windows firewall rule to IP address <ipaddress> |
Action |
Add a specified action firewall rule to a specified IP address. Windows only. |
1E-Explorer-TachyonCore-AddFirewallRule |
7 |
|
What software is installed? |
Question |
Returns all installed software. |
1E-Explorer-TachyonCore-AllInstalledSoftware |
7 |
|
What audio devices are installed? |
Question |
Returns details of audio devices. Windows only. |
1E-Explorer-TachyonCore-AudioDeviceDetails |
6 |
|
What BIOS firmware is installed? |
Question |
Returns details of BIOS firmware. |
1E-Explorer-TachyonCore-BiosDetails |
6 |
|
What on-board cache memory is available? |
Question |
Returns details of the processor's cache memory. |
1E-Explorer-TachyonCore-CacheMemoryDetails |
6 |
|
What optical drives are installed? |
Question |
Returns details of all optical drives. |
1E-Explorer-TachyonCore-CdRomDriveDetails |
6 |
|
Change service <servicename> and its dependencies to <state> state |
Action |
Starts or stops a service and any services that are dependent on it. |
1E-Explorer-TachyonCore-ChangeServiceStateWithDependencies |
6 |
|
Does coverage tag <tagname> exist? |
Question |
Reports the existance of the specified coverage tag |
1E-Explorer-TachyonCore-CheckIfCoverageTagExists |
6 |
|
Is coverage tag <tagname> set to <tagvalue>? |
Question |
Reports whether the defined coverage tag has the specified value |
1E-Explorer-TachyonCore-CheckIfCoverageTagHasGivenValue |
6 |
|
Does freeform tag <tagname> exist? |
Question |
Reports whether the specified freeform tag exists |
1E-Explorer-TachyonCore-CheckIfFreeformTagExists |
6 |
|
Is freeform tag <tagname> set to <tagvalue>? |
Question |
Reports whether the defined freeform tag has the specified value |
1E-Explorer-TachyonCore-CheckIfFreeformTagHasGivenValue |
6 |
|
Which devices respond to a check for a simple IoC that evaluates the indicators: <IP_Address> <Ports> <FileSpec> <Domain> <IP_Range> <URL>, gathered since <Search_Period_days> days ago? |
Question |
Check a simple Indicator of Compromise. |
1E-Explorer-TachyonCore-CheckSimpleIoC |
6 |
|
Flush the DNS cache |
Action |
Flushes the DNS cache on the machine |
1E-Explorer-TachyonCore-CommandLineFlushDns |
6 |
|
Ping <targetmachine> using <ipversion> |
Action |
Ping a specific IP address |
1E-Explorer-TachyonCore-CommandLinePing |
6 |
|
Set service <servicename> startup type to <startuptype> and state to <state> |
Action |
Changes the startup type and the state of an operating system service |
1E-Explorer-TachyonCore-ControlService |
6 |
|
How many coverage tags are there? |
Question |
Returns the number of coverage tags. |
1E-Explorer-TachyonCore-CountCoverageTags |
6 |
|
How many freeform tags are there? |
Question |
Returns the number of freeform tags. |
1E-Explorer-TachyonCore-CountFreeformTags |
6 |
|
Create an empty freeform tag named <tagname> |
Action |
Creates a freeform tag with an empty value. If this tag already exists, its value will be removed. |
1E-Explorer-TachyonCore-CreateEmptyFreeformTag |
6 |
|
Delete all coverage tags |
Action |
Deletes all coverage tags. This is a high impact instruction and should be used with care. |
1E-Explorer-TachyonCore-DeleteAllCoverageTags |
6 |
|
Delete all freeform tags |
Action |
Deletes all freeform tags. This is a high impact instruction and should be used with care. |
1E-Explorer-TachyonCore-DeleteAllFreeformTags |
6 |
|
Delete coverage tag named <tagname> |
Action |
Deletes specified coverage tag |
1E-Explorer-TachyonCore-DeleteCoverageTag |
6 |
|
Delete file at <path> |
Action |
Deletes a file with specified path |
1E-Explorer-TachyonCore-DeleteFileByPath |
6 |
|
Delete <action> Windows firewall action rule assigned to IP address <ipaddress> |
Action |
Deletes specified firewall action rule assigned to specified IP address. Windows only. |
1E-Explorer-TachyonCore-DeleteFirewallRule |
6 |
|
Delete freeform tag named <tagname> |
Action |
Deletes specified freeform tag |
1E-Explorer-TachyonCore-DeleteFreeformTag |
6 |
|
What device drivers are installed? |
Question |
Returns details of device drivers. |
1E-Explorer-TachyonCore-DeviceDrivers |
6 |
|
Which devices currently have active network connections to <ipAddress>? |
Question |
Gets all devices that currently have any open TCP connections to the specified IP address. It includes information about processes and ports. |
1E-Explorer-TachyonCore-DevicesConnectedToEndpoint |
6 |
|
Which devices are listening on port <port>? |
Question |
Gets devices listening on a specific network port. It also includes information about the listening process. |
1E-Explorer-TachyonCore-DevicesListeningOnAPort |
6 |
|
Which Windows services are disabled? |
Question |
Shows count of disabled Windows services. |
1E-Explorer-TachyonCore-DisabledServices |
6 |
|
What video adapters are installed? |
Question |
Returns details of video graphic adapters. Windows only. |
1E-Explorer-TachyonCore-DisplayAdapterDetails |
6 |
|
<EnableOrDisable> the Windows firewall for the following profile(s): <profile> |
Action |
Enable or Disable Windows Advanced Firewall for a given profile. Note that this enables locally, and that GPO will override if set. |
1E-Explorer-TachyonCore-EnableDisableFirewall |
3 |
|
What does the WMI query <query> on <namespace> return? |
Question |
Executes a WMI query and returns result. The query execution will be successfull only if the WMI namespace and class exists. Windows only. |
1E-Explorer-TachyonCore-ExecuteWmiQuery |
6 |
|
Which devices have a directory named <directoryname> on a fixed disk? |
Question |
Finds a directory by name. |
1E-Explorer-TachyonCore-FindDirectoryByName |
6 |
|
Which devices have a file named <filename> on a fixed disk? |
Question |
Finds a file by name. |
1E-Explorer-TachyonCore-FindFileByName |
6 |
|
Which devices have a file of <filesize> bytes with a SHA256 hash of <hash> on a fixed disk? |
Question |
Finds a file by size and SHA256 hash. |
1E-Explorer-TachyonCore-FindFileBySizeAndHash |
6 |
|
What is the file version infomation of <filename> on a fixed disk? |
Question |
Finds file version, Original Filename, Product Name and Product version of a file you specify |
1E-Explorer-TachyonCore-FindFileVersionInfoByName |
5 |
|
What are the coverage tags? |
Question |
Returns all coverage tag values |
1E-Explorer-TachyonCore-GetAllCoverageTags |
6 |
|
What are the freeform tags? |
Question |
Returns all freeform tag values |
1E-Explorer-TachyonCore-GetAllFreeformTags |
6 |
|
What is the value of the coverage tag <tagname>? |
Question |
Returns value of a specific coverage tag |
1E-Explorer-TachyonCore-GetCoverageTag |
6 |
|
How much memory is installed? |
Question |
Memory details for each installed DIMM. |
1E-Explorer-TachyonCore-GetCurrentInstalledMemoryDetails |
6 |
|
What is the current Powershell execution policy? |
Question |
Returns the Powershell execution policy on the device. |
1E-Explorer-TachyonCore-GetExecutionPolicyPowershellCommandLine |
6 |
|
What is the content of <filename>? |
Question |
Retrieve the content of files matching the given file path search pattern. Wildcard characters and environment variables may be used. |
1E-Explorer-TachyonCore-GetFile |
7 |
|
Which lines of <filename> match the pattern <pattern>? |
Question |
Retrieves the lines of files matching the given file path search pattern. Wildcard characters and environment variables may be used. |
1E-Explorer-TachyonCore-GetFileByLines |
6 |
|
What operating system details exist for <filePath>, optionally computing the hash (<computeHash>) |
Question |
What details does the operating system have about a particular file |
1E-Explorer-TachyonCore-GetFileDetails |
10 |
|
What access permissions exist on <filePath>? |
Question |
What access permissions exist for a particular file |
1E-Explorer-TachyonCore-GetFilePermissions |
12 |
|
What files are in <folder> folder? |
Question |
Retrieve the files in a specified folder. Windows Only. |
1E-Explorer-TachyonCore-GetFilesInFolder |
6 |
|
What files are in <folder> folder, including subfolders? |
Question |
Retrieve the files in a specified folder and all subfolders. Windows Only. |
1E-Explorer-TachyonCore-GetFilesInFolderRecursively |
6 |
|
Which devices have <action> action Windows firewall rule assigned to IP address <ipaddress>? |
Question |
Gets devices with a specified action firewall rule assigned to a specified IP address. Windows Only. |
1E-Explorer-TachyonCore-GetFirewallRule |
6 |
|
List <ruleState> firewall rules |
Question |
Returns firewall rules filtered by state |
1E-Explorer-TachyonCore-GetFirewallRulesFiltered |
3 |
|
What is the value of the freeform tag <tagname>? |
Question |
Returns the value of a specific freeform tag |
1E-Explorer-TachyonCore-GetFreeformTag |
6 |
|
What historical inbound connections are recorded? |
Question |
Retrieves the historical inbound connections recorded on the device |
1E-Explorer-TachyonCore-GetInboundConnectionHistory |
5 |
|
What historical inbound mapped drives are recorded? |
Question |
Retrieves the historical inbound mapped drives recorded on the device |
1E-Explorer-TachyonCore-GetInboundMappedDriveHistory |
5 |
|
What shared printers are being used on the machine? |
Question |
What shared printers are being used on the machine? |
1E-Explorer-TachyonCore-GetInboundPrinters |
5 |
|
Which Windows hotfixes are installed? |
Question |
Returns a list of installed Windows hotfixes. |
1E-Explorer-TachyonCore-GetInstalledWindowsHotfixes |
6 |
|
Which IP addresses are assigned to devices? |
Question |
Gets the IP addresses assigned to devices. Windows Only. |
1E-Explorer-TachyonCore-GetIpAddresses |
6 |
|
Who is currently logged in? |
Question |
Shows a list of all users logged into devices, including interactive and remote desktop sessions. |
1E-Explorer-TachyonCore-GetLoggedInUsers |
6 |
|
What historical outbound connections are recorded? |
Question |
Retrieves the historical outbound connections recorded on the device |
1E-Explorer-TachyonCore-GetOutboundConnectionHistory |
5 |
|
What outbound shared drives usage has been recorded? |
Question |
Retrieves the historical and currently exposed shared drive usage recorded on the device |
1E-Explorer-TachyonCore-GetOutboundMappedDriveHistory |
5 |
|
What printers are shared from the machine? |
Question |
What printers are shared from the machine? |
1E-Explorer-TachyonCore-GetOutboundPrinters |
4 |
|
What processes are running? |
Question |
Get all running processes. |
1E-Explorer-TachyonCore-GetProcesses |
6 |
|
Are my devices quarantined? Warning: Please read the description before use |
Question |
Queries the quarantine status of the device. Please use with care, and please read the documentation for the quarantine feature before use. |
1E-Explorer-TachyonCore-GetQuarantineStatus |
5 |
|
What services are running? |
Question |
Retrieves all the running services. Windows Only. |
1E-Explorer-TachyonCore-GetServiceInfo |
6 |
|
Which Hyper-V virtual machines are running? |
Question |
Returns details for virtualized Hyper-V guest machines that are currently running. Windows hosts only. |
1E-Explorer-TachyonCore-HyperVGuestDetails |
6 |
|
What memory chips are installed? |
Question |
Details of RAM chips. Windows Only. |
1E-Explorer-TachyonCore-InstalledMemoryDetails |
6 |
|
How many of each operating system versions are installed? |
Question |
Return a count of all distinct Operating Systems, Version and Virtual platform for each Tachyon-connected device. |
1E-Explorer-TachyonCore-InstalledOS |
6 |
|
Which versions of <appname> are installed? |
Question |
Returns count of all distinct versions of the specified product. Note the value entered does not need to be complete e.g. enter chrome and all products containing chrome will be returned. |
1E-Explorer-TachyonCore-InstalledSoftwareProduct |
7 |
|
Which versions of <publisher> <appname> are installed? |
Question |
Returns count of all distinct versions of the specified publisher and product. Note the values entered do not need to be complete e.g. enter Micro and all publishers containing Micro will be returned. |
1E-Explorer-TachyonCore-InstalledSoftwarePublisherProduct |
7 |
|
What USB devices are installed? |
Question |
Returns details of installed USB devices. Windows only. |
1E-Explorer-TachyonCore-InstalledUsbDevices |
8 |
|
Kill process <processId> |
Action |
Terminate a single process. |
1E-Explorer-TachyonCore-KillProcess |
6 |
|
Kill process(es) with image name matching <exename> |
Action |
Terminate all instances of a specified executable. |
1E-Explorer-TachyonCore-KillProcesses |
6 |
|
How many local groups is <accountName> a member of? |
Question |
Get the number of local groups each matching account is a member of. Windows Only. |
1E-Explorer-TachyonCore-LocalGroupMemberSummary |
7 |
|
Which logical drives are available? |
Question |
Get details of logical drives, including network drives. Windows Only. |
1E-Explorer-TachyonCore-LogicalDiskDetails |
6 |
|
Log off <user> |
Action |
Logs off %user% from all specified machines. The account should not contain a prefix. The user will be forcibly logged off - unsaved work or documents will be lost. Windows Only. |
1E-Explorer-TachyonCore-LogoffUser |
6 |
|
How are network adapters configured? |
Question |
Get the configuration of the network adapters. Windows Only. |
1E-Explorer-TachyonCore-NetworkAdapterConfigurationDetails |
6 |
|
Which network adapters are installed? |
Question |
Gets details of network adapters. Windows Only. |
1E-Explorer-TachyonCore-NetworkAdapterDetails |
6 |
|
What processes are listening on which ports? |
Question |
Gets network listening processes and ports. |
1E-Explorer-TachyonCore-NetworkListeningProcessesAndPorts |
6 |
|
What does the nslookup for <address> return? |
Question |
Performs an nslookup on a specified address and returns the output as a string. |
1E-Explorer-TachyonCore-NslookupCmd |
6 |
|
Which hard drives are installed? |
Question |
Get details of physical disk drives. Windows Only. |
1E-Explorer-TachyonCore-PhysicalDiskDetails |
6 |
|
Which plug-and-play devices are installed? |
Question |
Get details of plug and play devices. Windows Only. |
1E-Explorer-TachyonCore-PlugAndPlayDevices |
6 |
|
Which printers are installed? |
Question |
Get details of installed printers. Windows only. |
1E-Explorer-TachyonCore-PrinterDetails |
6 |
|
Which devices are currently running <ProcessName> as local admin? |
Question |
Finds all devices that currently have the specified process running with local administrator privilages. |
1E-Explorer-TachyonCore-ProcessAsLocalAdmin |
6 |
|
Which processors are installed? |
Question |
Details of processors installed. Windows Only. |
1E-Explorer-TachyonCore-ProcessorDetails |
6 |
|
What processor types are being used? |
Question |
Gets processor types being used by devices. Windows only. |
1E-Explorer-TachyonCore-ProcessorDetailsByType |
6 |
|
Quarantine selected devices. Warning: Please read the description before use |
Action |
Quarantines the device. The device will only be able to contact Tachyon. CRL checks must be set to soft. Certificate expiry can cause the agent to fail to connect to the switch. If an agent is no longer connected to Tachyon after quarantine, it will remain in quarantine. Please use with care, and please read the documentation for the quarantine feature before use. |
1E-Explorer-TachyonCore-QuarantineDevice |
5 |
|
Shutdown and reboot devices in <timeToReboot> seconds |
Action |
Schedules a reboot in a specified number of seconds. This will not prompt for user interaction! |
1E-Explorer-TachyonCore-RebootMachineInXSeconds |
3 |
|
Refresh the Windows CRL cache |
Action |
Refreshes the CRL cache by setting the ChainCacheResyncFiletime. This means that windows will attempt to retrieve a CRL the next time it is called upon for verification. |
1E-Explorer-TachyonCore-RefreshCrlCache |
6 |
|
Delete registry key <hive>:<subkey> recursively |
Action |
Delete an entire registry key. Windows Only. |
1E-Explorer-TachyonCore-RegistryDeleteKey |
7 |
|
Delete key <subkey> for every user in the HKEY_USERS hive |
Action |
Delete a specified key for each user in the HKEY_USERS hive. Windows Only. |
1E-Explorer-TachyonCore-RegistryDeleteUserKey |
7 |
|
Delete a <value> under <subkey> for every user in the HKEY_USERS hive |
Action |
Delete a specified registry entry for each user in the HKEY_USERS hive. Windows Only. |
1E-Explorer-TachyonCore-RegistryDeleteUserValues |
7 |
|
Delete registry entry <hive> <subkey> <name> |
Action |
Delete a specified registry entry. Windows Only. |
1E-Explorer-TachyonCore-RegistryDeleteValue |
7 |
|
What are all the keys under the registry key <hive> <subkey>? |
Question |
Get all sub keys for a Registry key. Windows Only. |
1E-Explorer-TachyonCore-RegistryEnumerateKeys |
10 |
|
What are all the keys under a registry <subkey> for each user in the HKEY_USERS hive? |
Question |
Get all the keys under a subkey for each user in the HKEY_USERS hive. Windows Only. |
1E-Explorer-TachyonCore-RegistryEnumerateUserKeys |
5 |
|
What are all the values under a registry <subkey> for each user in the HKEY_USERS hive? |
Question |
Get all the values under a subkey for each user in the HKEY_USERS hive. Windows Only. |
1E-Explorer-TachyonCore-RegistryEnumerateUserValues |
7 |
|
What are all the values under the registry key <hive> <subkey>? |
Question |
Get all values for a Registry key. Windows Only. |
1E-Explorer-TachyonCore-RegistryEnumerateValues |
7 |
|
What is the value of <value> under <subkey> for each user in the HKEY_USERS hive? |
Question |
Get a registry value for each user in the HKEY_USERS hive. Windows Only. |
1E-Explorer-TachyonCore-RegistryGetUserValues |
8 |
|
What is the value of the registry entry <hive> <subkey> <name>? |
Question |
Get the value for a Registry entry. Windows Only. |
1E-Explorer-TachyonCore-RegistryGetValue |
7 |
|
Which devices have the registry key <hive> <subkey>? |
Question |
Determine whether a given Registry key exists. Windows Only. |
1E-Explorer-TachyonCore-RegistryKeyExists |
7 |
|
Set <name> as <valuetype> to <value> under <subkey> for every user in the HKEY_USERS hive |
Action |
Set a registry entry for each user in the HKEY_USERS hive. Windows Only. |
1E-Explorer-TachyonCore-RegistrySetUserValues |
7 |
|
Set registry entry <hive> <subkey> <name> to <valuetype> <value> |
Action |
Set the value for a given Registry entry. Windows Only. |
1E-Explorer-TachyonCore-RegistrySetValue |
7 |
|
Which users in the HKEY_USERS hive have <subkey>? |
Question |
Determine whether a registry key exists for each user in the HKEY_USERS hive. Windows Only. |
1E-Explorer-TachyonCore-RegistryUserKeyExists |
6 |
|
Which users in the HKEY_USERS hive have a <value> under <subkey>? |
Question |
Determine whether a registry entry exists for each user in the HKEY_USERS hive. Windows Only. |
1E-Explorer-TachyonCore-RegistryUserValueExists |
6 |
|
Which devices have the registry entry <hive> <subkey> <name>? |
Question |
Determine whether a given Registry entry exists. Windows Only. |
1E-Explorer-TachyonCore-RegistryValueExists |
7 |
|
Which removable drives are installed? |
Question |
Returns information about removable drives. Windows Only. |
1E-Explorer-TachyonCore-RemovableDiskDetails |
6 |
|
Which devices are running <executable>? |
Question |
Shows machines running a specific executable. Windows Only. |
1E-Explorer-TachyonCore-RunningProcess |
7 |
|
Set coverage tag <tagname> to <tagvalue> |
Action |
Sets a value for a coverage tag on devices. This tag can be used to narrow down target devices for instructions. |
1E-Explorer-TachyonCore-SetCoverageTag |
6 |
|
Set freeform tag <tagname> to <tagvalue> |
Action |
Sets a value for a freeform tag on devices. This tag and value combination can be arbitrary. This tag cannot be used to narrow down target devices for instructions. |
1E-Explorer-TachyonCore-SetFreeFormTag |
6 |
|
Set PowerShell execution policy to <executionPolicy> |
Action |
Sets the PowerShell execution policy on devices. The new execution policy will be returned after being set. |
1E-Explorer-TachyonCore-SetPowerShellExecutionPolicy |
6 |
|
Remove application <appname> published by <publisher> |
Action |
Removes all versions of the specified application published by the specified publisher, if present. |
1E-Explorer-TachyonCore-UninstallApplicationAllVersions |
6 |
|
Remove version <version> of application <appname> published by <publisher> |
Action |
Removes the specified version of the the specified application published by the specified publisher, if it is present. |
1E-Explorer-TachyonCore-UninstallApplicationSpecificVersion |
6 |
|
Releases selected devices from quarantine. Warning: Please read the description before use |
Action |
Unquarantines the device. Please use with care, and please read the documentation for the quarantine feature before use. |
1E-Explorer-TachyonCore-UnquarantineDevice |
5 |
|
Which unsigned device drivers are installed? |
Question |
Gets device drivers which are not digitally signed. Windows only. |
1E-Explorer-TachyonCore-UnsignedDeviceDrivers |
6 |
|
Which devices is <domainName>\<accountName> currently logged on? |
Question |
Find all devices on which the given user is currently logged in. Windows Only. |
1E-Explorer-TachyonCore-UserLoggedInDevices |
7 |
|
Which Windows updates are pending a reboot? |
Question |
Gets Windows updates with a count of each device that is pending a reboot for this update to take effect. Windows only. |
1E-Explorer-TachyonCore-WindowsUpdatesPendingReboot |
6 |