Add Windows TOR Client Execution Detected

[vignesh-user]

Details

This PR adds a new detection that identifies TOR Browser and related TOR component execution on Windows endpoints using process creation telemetry.

The analytic monitors process name and parent process name to detect TOR execution originating from common parent processes such as browsers and command-line utilities. This behavior may indicate attempts to anonymize activity, evade monitoring, or bypass security controls.

Screenshots of the detection logic and test results are included for validation. Also, before merging this request please merge the attack dataset PR (splunk/attack_data#1123)

If you need any further information, please reach out to me via Slack.

Slack ID: Vignesh Subramanian

Checklist

• [ ✔️] Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
• [ ✔️] CI/CD jobs passed ✔️
• [ ✔️] Validated SPL logic.
• [✔️ ] Validated tags, description, and how to implement.
• [✔️ ] Verified references match analytic.
• Confirm updates to lookups are handled properly.

[vignesh-user]

Hi @nasbench,

I have done the changes which you mentioned in the above. Please do review and let me know for any further changes.

1. Focused on detecting tor.exe based on our interest and removed wildcard *tor*.

2. Added the process_path field to detect TOR execution within Brave Browser because it includes a built-in TOR client that is not explicitly named tor.exe during process creation; instead, it appears as tor-0.4.8.19-win32-brave-0. To capture this, I added the Brave Browser path to the detection logic to identify the presence of TOR within Brave.
   

3. I also added wildcards in the path to support any versions of TOR binaries used by Brave, ensuring that different version numbers are correctly matched.
   

4. Avoided using escape characters to improve readability.

5. The provided ID has been incorporated.

6. The process file has been added as a threat object.

7. Additional tokens have been included in the risk-based alerting message to make it clearer and more meaningful.

8. The word detection has been removed from the title, which is now: Windows TOR Client Execution

9. Added the correct attack dataset link from (https://github.com/splunk/attack_data/blob/master/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log)

[nasbench]

Just FYI in order to avoid using wildcard inside of strings (which is not a recommended things to do). I split the string like this.

[vignesh-user]

I understood and thank you for doing the changes.

[patel-bhavin]

neat! these changes look great! thanks Nas and @vignesh-user for the contribution!

App inspect expected to fail on PRs from forks

[vignesh-user]

Thank you very much @nasbench for your inputs and changes and @patel-bhavin for merging my PR!