Classic Product Pack used to create the 1E Explorer TachyonCore instruction set that includes instructions for Tagging and Quarantine. 

Please refer to:

Instruction text (ReadablePayload)TypeDescriptionInstruction file nameVersion

Add <action> action Windows firewall rule to IP address <ipaddress>

ActionAdd a specified action firewall rule to a specified IP address. Windows only.
1E-Explorer-TachyonCore-AddFirewallRule
7

What software is installed?

QuestionReturns all installed software.
1E-Explorer-TachyonCore-AllInstalledSoftware
7

What audio devices are installed?

QuestionReturns details of audio devices. Windows only.
1E-Explorer-TachyonCore-AudioDeviceDetails
6

What BIOS firmware is installed?

QuestionReturns details of BIOS firmware.
1E-Explorer-TachyonCore-BiosDetails
6

What on-board cache memory is available?

QuestionReturns details of the processor's cache memory.
1E-Explorer-TachyonCore-CacheMemoryDetails
6

What optical drives are installed?

QuestionReturns details of all optical drives.
1E-Explorer-TachyonCore-CdRomDriveDetails
6

Change service <servicename> and its dependencies to <state> state

ActionStarts or stops a service and any services that are dependent on it.
1E-Explorer-TachyonCore-ChangeServiceStateWithDependencies
6

Does coverage tag <tagname> exist?

QuestionReports the existance of the specified coverage tag
1E-Explorer-TachyonCore-CheckIfCoverageTagExists
6

Is coverage tag <tagname> set to <tagvalue>?

QuestionReports whether the defined coverage tag has the specified value
1E-Explorer-TachyonCore-CheckIfCoverageTagHasGivenValue
6

Does freeform tag <tagname> exist?

QuestionReports whether the specified freeform tag exists
1E-Explorer-TachyonCore-CheckIfFreeformTagExists
6

Is freeform tag <tagname> set to <tagvalue>?

QuestionReports whether the defined freeform tag has the specified value
1E-Explorer-TachyonCore-CheckIfFreeformTagHasGivenValue
6

Which devices respond to a check for a simple IoC that evaluates the indicators: <IP_Address> <Ports> <FileSpec> <Domain> <IP_Range> <URL>, gathered since <Search_Period_days> days ago?

QuestionCheck a simple Indicator of Compromise.
1E-Explorer-TachyonCore-CheckSimpleIoC
6

Flush the DNS cache

ActionFlushes the DNS cache on the machine
1E-Explorer-TachyonCore-CommandLineFlushDns
6

Ping <targetmachine> using <ipversion>

ActionPing a specific IP address
1E-Explorer-TachyonCore-CommandLinePing
6

Set service <servicename> startup type to <startuptype> and state to <state>

ActionChanges the startup type and the state of an operating system service
1E-Explorer-TachyonCore-ControlService
6

How many coverage tags are there?

QuestionReturns the number of coverage tags.
1E-Explorer-TachyonCore-CountCoverageTags
6

How many freeform tags are there?

QuestionReturns the number of freeform tags.
1E-Explorer-TachyonCore-CountFreeformTags
6

Create an empty freeform tag named <tagname>

ActionCreates a freeform tag with an empty value. If this tag already exists, its value will be removed.
1E-Explorer-TachyonCore-CreateEmptyFreeformTag
6

Delete all coverage tags

ActionDeletes all coverage tags. This is a high impact instruction and should be used with care.
1E-Explorer-TachyonCore-DeleteAllCoverageTags
6

Delete all freeform tags

ActionDeletes all freeform tags. This is a high impact instruction and should be used with care.
1E-Explorer-TachyonCore-DeleteAllFreeformTags
6

Delete coverage tag named <tagname>

ActionDeletes specified coverage tag
1E-Explorer-TachyonCore-DeleteCoverageTag
6

Delete file at <path>

ActionDeletes a file with specified path
1E-Explorer-TachyonCore-DeleteFileByPath
6

Delete <action> Windows firewall action rule assigned to IP address <ipaddress>

ActionDeletes specified firewall action rule assigned to specified IP address. Windows only.
1E-Explorer-TachyonCore-DeleteFirewallRule
6

Delete freeform tag named <tagname>

ActionDeletes specified freeform tag
1E-Explorer-TachyonCore-DeleteFreeformTag
6

What device drivers are installed?

QuestionReturns details of device drivers.
1E-Explorer-TachyonCore-DeviceDrivers
6

Which devices currently have active network connections to <ipAddress>?

QuestionGets all devices that currently have any open TCP connections to the specified IP address. It includes information about processes and ports.
1E-Explorer-TachyonCore-DevicesConnectedToEndpoint
6

Which devices are listening on port <port>?

QuestionGets devices listening on a specific network port. It also includes information about the listening process.
1E-Explorer-TachyonCore-DevicesListeningOnAPort
6

Which Windows services are disabled?

QuestionShows count of disabled Windows services.
1E-Explorer-TachyonCore-DisabledServices
6

What video adapters are installed?

QuestionReturns details of video graphic adapters. Windows only.
1E-Explorer-TachyonCore-DisplayAdapterDetails
6

<EnableOrDisable> the Windows firewall for the following profile(s): <profile>

ActionEnable or Disable Windows Advanced Firewall for a given profile. Note that this enables locally, and that GPO will override if set.
1E-Explorer-TachyonCore-EnableDisableFirewall
3

What does the WMI query <query> on <namespace> return?

QuestionExecutes a WMI query and returns result. The query execution will be successfull only if the WMI namespace and class exists. Windows only.
1E-Explorer-TachyonCore-ExecuteWmiQuery
6

Which devices have a directory named <directoryname> on a fixed disk?

QuestionFinds a directory by name.
1E-Explorer-TachyonCore-FindDirectoryByName
6

Which devices have a file named <filename> on a fixed disk?

QuestionFinds a file by name.
1E-Explorer-TachyonCore-FindFileByName
6

Which devices have a file of <filesize> bytes with a SHA256 hash of <hash> on a fixed disk?

QuestionFinds a file by size and SHA256 hash.
1E-Explorer-TachyonCore-FindFileBySizeAndHash
6

What is the file version infomation of <filename> on a fixed disk?

QuestionFinds file version, Original Filename, Product Name and Product version of a file you specify
1E-Explorer-TachyonCore-FindFileVersionInfoByName
5

What are the coverage tags?

QuestionReturns all coverage tag values
1E-Explorer-TachyonCore-GetAllCoverageTags
6

What are the freeform tags?

QuestionReturns all freeform tag values
1E-Explorer-TachyonCore-GetAllFreeformTags
6

What is the value of the coverage tag <tagname>?

QuestionReturns value of a specific coverage tag
1E-Explorer-TachyonCore-GetCoverageTag
6

How much memory is installed?

QuestionMemory details for each installed DIMM.
1E-Explorer-TachyonCore-GetCurrentInstalledMemoryDetails
6

What is the current Powershell execution policy?

QuestionReturns the Powershell execution policy on the device.
1E-Explorer-TachyonCore-GetExecutionPolicyPowershellCommandLine
6

What is the content of <filename>?

QuestionRetrieve the content of files matching the given file path search pattern. Wildcard characters and environment variables may be used.
1E-Explorer-TachyonCore-GetFile
7

Which lines of <filename> match the pattern <pattern>?

QuestionRetrieves the lines of files matching the given file path search pattern. Wildcard characters and environment variables may be used.
1E-Explorer-TachyonCore-GetFileByLines
6

What operating system details exist for <filePath>, optionally computing the hash (<computeHash>)

QuestionWhat details does the operating system have about a particular file
1E-Explorer-TachyonCore-GetFileDetails
10

What access permissions exist on <filePath>?

QuestionWhat access permissions exist for a particular file
1E-Explorer-TachyonCore-GetFilePermissions
12

What files are in <folder> folder?

QuestionRetrieve the files in a specified folder. Windows Only.
1E-Explorer-TachyonCore-GetFilesInFolder
6

What files are in <folder> folder, including subfolders?

QuestionRetrieve the files in a specified folder and all subfolders. Windows Only.
1E-Explorer-TachyonCore-GetFilesInFolderRecursively
6

Which devices have <action> action Windows firewall rule assigned to IP address <ipaddress>?

QuestionGets devices with a specified action firewall rule assigned to a specified IP address. Windows Only.
1E-Explorer-TachyonCore-GetFirewallRule
6

List <ruleState> firewall rules

QuestionReturns firewall rules filtered by state
1E-Explorer-TachyonCore-GetFirewallRulesFiltered
3

What is the value of the freeform tag <tagname>?

QuestionReturns the value of a specific freeform tag
1E-Explorer-TachyonCore-GetFreeformTag
6

What historical inbound connections are recorded?

QuestionRetrieves the historical inbound connections recorded on the device
1E-Explorer-TachyonCore-GetInboundConnectionHistory
5

What historical inbound mapped drives are recorded?

QuestionRetrieves the historical inbound mapped drives recorded on the device
1E-Explorer-TachyonCore-GetInboundMappedDriveHistory
5

What shared printers are being used on the machine?

QuestionWhat shared printers are being used on the machine?
1E-Explorer-TachyonCore-GetInboundPrinters
5

Which Windows hotfixes are installed?

QuestionReturns a list of installed Windows hotfixes.
1E-Explorer-TachyonCore-GetInstalledWindowsHotfixes
6

Which IP addresses are assigned to devices?

QuestionGets the IP addresses assigned to devices. Windows Only.
1E-Explorer-TachyonCore-GetIpAddresses
6

Who is currently logged in?

QuestionShows a list of all users logged into devices, including interactive and remote desktop sessions.
1E-Explorer-TachyonCore-GetLoggedInUsers
6

What historical outbound connections are recorded?

QuestionRetrieves the historical outbound connections recorded on the device
1E-Explorer-TachyonCore-GetOutboundConnectionHistory
5

What outbound shared drives usage has been recorded?

QuestionRetrieves the historical and currently exposed shared drive usage recorded on the device
1E-Explorer-TachyonCore-GetOutboundMappedDriveHistory
5

What printers are shared from the machine?

QuestionWhat printers are shared from the machine?
1E-Explorer-TachyonCore-GetOutboundPrinters
4

What processes are running?

QuestionGet all running processes.
1E-Explorer-TachyonCore-GetProcesses
6

Are my devices quarantined? Warning: Please read the description before use

QuestionQueries the quarantine status of the device. Please use with care, and please read the documentation for the quarantine feature before use.
1E-Explorer-TachyonCore-GetQuarantineStatus
5

What services are running?

QuestionRetrieves all the running services. Windows Only.
1E-Explorer-TachyonCore-GetServiceInfo
6

Which Hyper-V virtual machines are running?

QuestionReturns details for virtualized Hyper-V guest machines that are currently running. Windows hosts only.
1E-Explorer-TachyonCore-HyperVGuestDetails
6

What memory chips are installed?

QuestionDetails of RAM chips. Windows Only.
1E-Explorer-TachyonCore-InstalledMemoryDetails
6

How many of each operating system versions are installed?

QuestionReturn a count of all distinct Operating Systems, Version and Virtual platform for each Tachyon-connected device.
1E-Explorer-TachyonCore-InstalledOS
6

Which versions of <appname> are installed?

QuestionReturns count of all distinct versions of the specified product. Note the value entered does not need to be complete e.g. enter chrome and all products containing chrome will be returned.
1E-Explorer-TachyonCore-InstalledSoftwareProduct
7

Which versions of <publisher> <appname> are installed?

QuestionReturns count of all distinct versions of the specified publisher and product. Note the values entered do not need to be complete e.g. enter Micro and all publishers containing Micro will be returned.
1E-Explorer-TachyonCore-InstalledSoftwarePublisherProduct
7

What USB devices are installed?

QuestionReturns details of installed USB devices. Windows only.
1E-Explorer-TachyonCore-InstalledUsbDevices
8

Kill process <processId>

ActionTerminate a single process.
1E-Explorer-TachyonCore-KillProcess
6

Kill process(es) with image name matching <exename>

ActionTerminate all instances of a specified executable.
1E-Explorer-TachyonCore-KillProcesses
6

How many local groups is <accountName> a member of?

QuestionGet the number of local groups each matching account is a member of. Windows Only.
1E-Explorer-TachyonCore-LocalGroupMemberSummary
7

Which logical drives are available?

QuestionGet details of logical drives, including network drives. Windows Only.
1E-Explorer-TachyonCore-LogicalDiskDetails
6

Log off <user>

ActionLogs off %user% from all specified machines. The account should not contain a prefix. The user will be forcibly logged off - unsaved work or documents will be lost. Windows Only.
1E-Explorer-TachyonCore-LogoffUser
6

How are network adapters configured?

QuestionGet the configuration of the network adapters. Windows Only.
1E-Explorer-TachyonCore-NetworkAdapterConfigurationDetails
6

Which network adapters are installed?

QuestionGets details of network adapters. Windows Only.
1E-Explorer-TachyonCore-NetworkAdapterDetails
6

What processes are listening on which ports?

QuestionGets network listening processes and ports.
1E-Explorer-TachyonCore-NetworkListeningProcessesAndPorts
6

What does the nslookup for <address> return?

QuestionPerforms an nslookup on a specified address and returns the output as a string. 
1E-Explorer-TachyonCore-NslookupCmd
6

Which hard drives are installed?

QuestionGet details of physical disk drives. Windows Only.
1E-Explorer-TachyonCore-PhysicalDiskDetails
6

Which plug-and-play devices are installed?

QuestionGet details of plug and play devices. Windows Only.
1E-Explorer-TachyonCore-PlugAndPlayDevices
6

Which printers are installed?

QuestionGet details of installed printers. Windows only.
1E-Explorer-TachyonCore-PrinterDetails
6

Which devices are currently running <ProcessName> as local admin?

QuestionFinds all devices that currently have the specified process running with local administrator privilages.
1E-Explorer-TachyonCore-ProcessAsLocalAdmin
6

Which processors are installed?

QuestionDetails of processors installed. Windows Only.
1E-Explorer-TachyonCore-ProcessorDetails
6

What processor types are being used?

QuestionGets processor types being used by devices. Windows only.
1E-Explorer-TachyonCore-ProcessorDetailsByType
6

Quarantine selected devices. Warning: Please read the description before use

ActionQuarantines the device. The device will only be able to contact Tachyon. CRL checks must be set to soft. Certificate expiry can cause the agent to fail to connect to the switch. If an agent is no longer connected to Tachyon after quarantine, it will remain in quarantine. Please use with care, and please read the documentation for the quarantine feature before use.
1E-Explorer-TachyonCore-QuarantineDevice
5

Shutdown and reboot devices in <timeToReboot> seconds

ActionSchedules a reboot in a specified number of seconds. This will not prompt for user interaction!
1E-Explorer-TachyonCore-RebootMachineInXSeconds
3

Refresh the Windows CRL cache

ActionRefreshes the CRL cache by setting the ChainCacheResyncFiletime. This means that windows will attempt to retrieve a CRL the next time it is called upon for verification.
1E-Explorer-TachyonCore-RefreshCrlCache
6

Delete registry key <hive>:<subkey> recursively

ActionDelete an entire registry key. Windows Only.
1E-Explorer-TachyonCore-RegistryDeleteKey
7

Delete key <subkey> for every user in the HKEY_USERS hive

ActionDelete a specified key for each user in the HKEY_USERS hive. Windows Only.
1E-Explorer-TachyonCore-RegistryDeleteUserKey
7

Delete a <value> under <subkey> for every user in the HKEY_USERS hive

ActionDelete a specified registry entry for each user in the HKEY_USERS hive. Windows Only.
1E-Explorer-TachyonCore-RegistryDeleteUserValues
7

Delete registry entry <hive> <subkey> <name>

ActionDelete a specified registry entry. Windows Only.
1E-Explorer-TachyonCore-RegistryDeleteValue
7

What are all the keys under the registry key <hive> <subkey>?

QuestionGet all sub keys for a Registry key. Windows Only.
1E-Explorer-TachyonCore-RegistryEnumerateKeys
10

What are all the keys under a registry <subkey> for each user in the HKEY_USERS hive?

QuestionGet all the keys under a subkey for each user in the HKEY_USERS hive. Windows Only.
1E-Explorer-TachyonCore-RegistryEnumerateUserKeys
5

What are all the values under a registry <subkey> for each user in the HKEY_USERS hive?

QuestionGet all the values under a subkey for each user in the HKEY_USERS hive. Windows Only.
1E-Explorer-TachyonCore-RegistryEnumerateUserValues
7

What are all the values under the registry key <hive> <subkey>?

QuestionGet all values for a Registry key. Windows Only.
1E-Explorer-TachyonCore-RegistryEnumerateValues
7

What is the value of <value> under <subkey> for each user in the HKEY_USERS hive?

QuestionGet a registry value for each user in the HKEY_USERS hive. Windows Only.
1E-Explorer-TachyonCore-RegistryGetUserValues
8

What is the value of the registry entry <hive> <subkey> <name>?

QuestionGet the value for a Registry entry. Windows Only.
1E-Explorer-TachyonCore-RegistryGetValue
7

Which devices have the registry key <hive> <subkey>?

QuestionDetermine whether a given Registry key exists. Windows Only.
1E-Explorer-TachyonCore-RegistryKeyExists
7

Set <name> as <valuetype> to <value> under <subkey> for every user in the HKEY_USERS hive

ActionSet a registry entry for each user in the HKEY_USERS hive. Windows Only.
1E-Explorer-TachyonCore-RegistrySetUserValues
7

Set registry entry <hive> <subkey> <name> to <valuetype> <value>

ActionSet the value for a given Registry entry. Windows Only.
1E-Explorer-TachyonCore-RegistrySetValue
7

Which users in the HKEY_USERS hive have <subkey>?

QuestionDetermine whether a registry key exists for each user in the HKEY_USERS hive. Windows Only.
1E-Explorer-TachyonCore-RegistryUserKeyExists
6

Which users in the HKEY_USERS hive have a <value> under <subkey>?

QuestionDetermine whether a registry entry exists for each user in the HKEY_USERS hive. Windows Only.
1E-Explorer-TachyonCore-RegistryUserValueExists
6

Which devices have the registry entry <hive> <subkey> <name>?

QuestionDetermine whether a given Registry entry exists. Windows Only.
1E-Explorer-TachyonCore-RegistryValueExists
7

Which removable drives are installed?

QuestionReturns information about removable drives. Windows Only.
1E-Explorer-TachyonCore-RemovableDiskDetails
6

Which devices are running <executable>?

QuestionShows machines running a specific executable. Windows Only.
1E-Explorer-TachyonCore-RunningProcess
7

Set coverage tag <tagname> to <tagvalue>

ActionSets a value for a coverage tag on devices. This tag can be used to narrow down target devices for instructions.
1E-Explorer-TachyonCore-SetCoverageTag
6

Set freeform tag <tagname> to <tagvalue>

ActionSets a value for a freeform tag on devices. This tag and value combination can be arbitrary. This tag cannot be used to narrow down target devices for instructions.
1E-Explorer-TachyonCore-SetFreeFormTag
6

Set PowerShell execution policy to <executionPolicy>

ActionSets the PowerShell execution policy on devices. The new execution policy will be returned after being set.
1E-Explorer-TachyonCore-SetPowerShellExecutionPolicy
6

Remove application <appname> published by <publisher>

ActionRemoves all versions of the specified application published by the specified publisher, if present.
1E-Explorer-TachyonCore-UninstallApplicationAllVersions
6

Remove version <version> of application <appname> published by <publisher>

ActionRemoves the specified version of the the specified application published by the specified publisher, if it is present.
1E-Explorer-TachyonCore-UninstallApplicationSpecificVersion
6

Releases selected devices from quarantine. Warning: Please read the description before use

ActionUnquarantines the device. Please use with care, and please read the documentation for the quarantine feature before use.
1E-Explorer-TachyonCore-UnquarantineDevice
5

Which unsigned device drivers are installed?

QuestionGets device drivers which are not digitally signed. Windows only.
1E-Explorer-TachyonCore-UnsignedDeviceDrivers
6

Which devices is <domainName>\<accountName> currently logged on?

QuestionFind all devices on which the given user is currently logged in. Windows Only.
1E-Explorer-TachyonCore-UserLoggedInDevices
7

Which Windows updates are pending a reboot?

QuestionGets Windows updates with a count of each device that is pending a reboot for this update to take effect. Windows only.
1E-Explorer-TachyonCore-WindowsUpdatesPendingReboot
6