diff --git a/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log b/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log
new file mode 100644
index 00000000..e65a35a2
--- /dev/null
+++ b/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:714e898e11d48bd15038e49e1fdac54081ffab6447c19807a5126ac555c4f1b7
+size 1219840
diff --git a/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows_tor_client_execution.yml b/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows_tor_client_execution.yml
new file mode 100644
index 00000000..5948a141
--- /dev/null
+++ b/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows_tor_client_execution.yml
@@ -0,0 +1,13 @@
+author: Vignesh Subramanian, Splunk
+id: 59206f25-1c8a-43a8-878e-a0f5c8aed211
+date: '2026-01-19'
+description: 'Generated dataset of Windows Sysmon process creation logs (Event ID 1) capturing TOR browser and related TOR component activities on Windows endpoints. Insider threats and external attackers may use TOR to hide their activity and bypass network security controls. This dataset helps detect the presence and execution of TOR components on Windows systems.'
+environment: manual simulations in a controlled lab environment
+directory: windows_tor_client_execution
+mitre_technique:
+- T1090.003
+datasets:
+- name: windows-sysmon
+  path: /datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational