From dec0fd65596113c5e744006f26d66cb01d61fd51 Mon Sep 17 00:00:00 2001 From: Vignesh <117492322+vignesh-user@users.noreply.github.com> Date: Tue, 27 Jan 2026 01:04:55 +0530 Subject: [PATCH 1/2] Add Windows Sysmon TOR client execution dataset for T1090.003 --- .../windows_tor_client_execution/windows-sysmon.log | 3 +++ .../windows_tor_client_execution.yml | 13 +++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log create mode 100644 datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows_tor_client_execution.yml diff --git a/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log b/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log new file mode 100644 index 00000000..e65a35a2 --- /dev/null +++ b/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:714e898e11d48bd15038e49e1fdac54081ffab6447c19807a5126ac555c4f1b7 +size 1219840 diff --git a/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows_tor_client_execution.yml b/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows_tor_client_execution.yml new file mode 100644 index 00000000..5d865659 --- /dev/null +++ b/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows_tor_client_execution.yml @@ -0,0 +1,13 @@ +author: Vignesh Subramanian, Splunk +id: +date: '2026-01-19' +description: 'Generated dataset of Windows Sysmon process creation logs (Event ID 1) capturing TOR browser and related TOR component activities on Windows endpoints. Insider threats and external attackers may use TOR to hide their activity and bypass network security controls. This dataset helps detect the presence and execution of TOR components on Windows systems.' +environment: manual simulations in a controlled lab environment +directory: windows_tor_client_execution +mitre_technique: +- T1090.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational From 74a9fb0a32743be9c8da2ff6dea84928fdfb13ab Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 29 Jan 2026 15:00:36 +0100 Subject: [PATCH 2/2] Apply suggestions from code review --- .../windows_tor_client_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows_tor_client_execution.yml b/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows_tor_client_execution.yml index 5d865659..5948a141 100644 --- a/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows_tor_client_execution.yml +++ b/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows_tor_client_execution.yml @@ -1,5 +1,5 @@ author: Vignesh Subramanian, Splunk -id: +id: 59206f25-1c8a-43a8-878e-a0f5c8aed211 date: '2026-01-19' description: 'Generated dataset of Windows Sysmon process creation logs (Event ID 1) capturing TOR browser and related TOR component activities on Windows endpoints. Insider threats and external attackers may use TOR to hide their activity and bypass network security controls. This dataset helps detect the presence and execution of TOR components on Windows systems.' environment: manual simulations in a controlled lab environment