Add Windows Sysmon TOR client execution dataset for T1090.003 (#1123)

vignesh-user · nasbench · web-flow · commit a7262ec72d44 · 2026-01-29T15:04:48.000+01:00
---------

Co-authored-by: Nasreddine Bencherchali &lt;nbencher@cisco.com&gt;
diff --git a/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log b/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:714e898e11d48bd15038e49e1fdac54081ffab6447c19807a5126ac555c4f1b7
+size 1219840
diff --git a/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows_tor_client_execution.yml b/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows_tor_client_execution.yml
@@ -0,0 +1,13 @@
+author: Vignesh Subramanian, Splunk
+id: 59206f25-1c8a-43a8-878e-a0f5c8aed211
+date: '2026-01-19'
+description: 'Generated dataset of Windows Sysmon process creation logs (Event ID 1) capturing TOR browser and related TOR component activities on Windows endpoints. Insider threats and external attackers may use TOR to hide their activity and bypass network security controls. This dataset helps detect the presence and execution of TOR components on Windows systems.'
+environment: manual simulations in a controlled lab environment
+directory: windows_tor_client_execution
+mitre_technique:
+- T1090.003
+datasets:
+- name: windows-sysmon
+  path: /datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:714e898e11d48bd15038e49e1fdac54081ffab6447c19807a5126ac555c4f1b7`
	`3`	`+size 1219840`