From 87c1e732b0d82ad5537d2c6a85b45a8187ad5736 Mon Sep 17 00:00:00 2001 From: Vignesh <117492322+vignesh-user@users.noreply.github.com> Date: Thu, 29 Jan 2026 08:15:00 +0530 Subject: [PATCH 1/3] Add Windows TOR Client Execution Detected This detection is used to detects the execution of TOR browser and it's components on windows systems. If you need any further information, please reach out to me via Slack. Slack ID - Vignesh Subramanian --- .../windows_tor_client_execution_detected.yml | 77 +++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 detections/endpoint/windows_tor_client_execution_detected.yml diff --git a/detections/endpoint/windows_tor_client_execution_detected.yml b/detections/endpoint/windows_tor_client_execution_detected.yml new file mode 100644 index 0000000000..e6e5f20f2c --- /dev/null +++ b/detections/endpoint/windows_tor_client_execution_detected.yml @@ -0,0 +1,77 @@ +name: Windows TOR Client Execution Detected +id: +version: 1 +date: '2026-01-26' +author: Vignesh Subramanian, Splunk +status: production +type: Anomaly +description: The following analytic detects execution of TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize their presence, evade network monitoring, and bypass security controls. Detection of TOR client execution on Windows systems can indicate attempts to hide data exfiltration, command-and-control traffic, or other policy-violating behavior. Also, TOR can be used for legitimate research, privacy, and security-testing purposes, its presence on enterprise endpoints is often unusual and should be investigated to determine intent, scope, and any associated malicious behavior. +data_source: +- Windows Event Log Security 4688 +- Sysmon EventID 1 +search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\ + \ as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"\ + tor.exe\" OR Processes.process_name=\"*tor*\" AND Processes.parent_process_name\ + \ IN (\"firefox.exe\",\"brave.exe\",\"cmd.exe\",\"powershell.exe\") by Processes.action\ + \ Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec\ + \ Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name\ + \ Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid\ + \ Processes.process_hash Processes.process_id Processes.process_integrity_level\ + \ Processes.process_name Processes.process_path Processes.user Processes.user_id\ + \ Processes.vendor_product \n| `drop_dm_object_name(Processes)` \n| `security_content_ctime(firstTime)`\n\ + | `security_content_ctime(lastTime)` | `windows_tor_client_execution_detected_filter`" +how_to_implement: This detection uses the Endpoint.Processes data model and it requires Windows process creation logs from Windows Security EventCode=4688 or Sysmon EventID=1. Ensure that these events are onboarded and mapped to the Endpoint.Processes data model in accordance with the Splunk Common Information Model (CIM). +known_false_positives: This detection focuses on TOR-related processes and may generate benign matches in environments where TOR is intentionally used, such as security testing, research, or lab environments. +references: +- https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/ +- https://attack.mitre.org/software/S0183/ +- https://attack.mitre.org/techniques/T1090/003/ +drilldown_searches: +- name: View the detection results for - "$dest$"" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user="$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) + as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) + as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: TOR client execution process detected on host $dest$ by user $user$ + risk_objects: + - field: dest + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - Compromised Windows Host + - Windows Post-Exploitation + - Command And Control + - Data Exfiltration + - Data Protection + asset_type: Endpoint + mitre_attack_id: + - T1090.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file From a4875af7eb16778d8c6774e3657f57282aab3146 Mon Sep 17 00:00:00 2001 From: Vignesh <117492322+vignesh-user@users.noreply.github.com> Date: Sat, 31 Jan 2026 08:47:36 +0530 Subject: [PATCH 2/3] Update Windows TOR Client Execution Detection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. Focused on detecting tor.exe and added the process_path field to detect TOR execution within Brave Browser. Brave Browser includes a built-in TOR client that is not explicitly named tor.exe during process creation; instead, it appears as tor-0.4.8.19-win32-brave-0. To capture this, I added the Brave Browser path to the detection logic to identify the presence of TOR within Brave. I also introduced wildcards in the path to support any version TOR binaries used by Brave, ensuring that different version numbers are correctly matched. 2. Avoided using escape characters to improve readability. 3. The provided ID has been added. 4. The process field has been added as a threat object. 5. Additional tokens have been included in the risk-based alerting message to make it clearer and more meaningful. 6. The word “detection” has been removed from the title, which is now: "Windows TOR Client Execution" 7. Added the correct attack dataset link from (https://github.com/splunk/attack_data/blob/master/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log) --- .../windows_tor_client_execution_detected.yml | 60 ++++++++++++------- 1 file changed, 40 insertions(+), 20 deletions(-) diff --git a/detections/endpoint/windows_tor_client_execution_detected.yml b/detections/endpoint/windows_tor_client_execution_detected.yml index e6e5f20f2c..91f0c44588 100644 --- a/detections/endpoint/windows_tor_client_execution_detected.yml +++ b/detections/endpoint/windows_tor_client_execution_detected.yml @@ -1,25 +1,43 @@ -name: Windows TOR Client Execution Detected -id: +name: Windows TOR Client Execution +id: f164bc6f-ecbe-45e0-aaa6-f5c4d8c84b9a version: 1 date: '2026-01-26' author: Vignesh Subramanian, Splunk status: production type: Anomaly -description: The following analytic detects execution of TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize their presence, evade network monitoring, and bypass security controls. Detection of TOR client execution on Windows systems can indicate attempts to hide data exfiltration, command-and-control traffic, or other policy-violating behavior. Also, TOR can be used for legitimate research, privacy, and security-testing purposes, its presence on enterprise endpoints is often unusual and should be investigated to determine intent, scope, and any associated malicious behavior. +description: The following analytic detects execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement. While TOR can be used for legitimate research and privacy purposes, its presence on enterprise endpoints is often unusual and should be investigated to determine intent, scope, and any associated malicious behavior. data_source: - Windows Event Log Security 4688 - Sysmon EventID 1 -search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\ - \ as lastTime from datamodel=Endpoint.Processes where Processes.process_name=\"\ - tor.exe\" OR Processes.process_name=\"*tor*\" AND Processes.parent_process_name\ - \ IN (\"firefox.exe\",\"brave.exe\",\"cmd.exe\",\"powershell.exe\") by Processes.action\ - \ Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec\ - \ Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name\ - \ Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid\ - \ Processes.process_hash Processes.process_id Processes.process_integrity_level\ - \ Processes.process_name Processes.process_path Processes.user Processes.user_id\ - \ Processes.vendor_product \n| `drop_dm_object_name(Processes)` \n| `security_content_ctime(firstTime)`\n\ - | `security_content_ctime(lastTime)` | `windows_tor_client_execution_detected_filter`" +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + from datamodel=Endpoint.Processes + where Processes.process_name = "tor.exe" + OR Processes.process_path = "*\\BraveSoftware\\Brave-Browser\\User Data\\*\\tor-*-win32-brave-*" + by Processes.action + Processes.dest + Processes.original_file_name + Processes.parent_process + Processes.parent_process_exec + Processes.parent_process_guid + Processes.parent_process_id + Processes.parent_process_name + Processes.parent_process_path + Processes.process + Processes.process_exec + Processes.process_guid + Processes.process_hash + Processes.process_id + Processes.process_integrity_level + Processes.process_name + Processes.process_path + Processes.user + Processes.user_id + Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_tor_client_execution_filter` how_to_implement: This detection uses the Endpoint.Processes data model and it requires Windows process creation logs from Windows Security EventCode=4688 or Sysmon EventID=1. Ensure that these events are onboarded and mapped to the Endpoint.Processes data model in accordance with the Splunk Common Information Model (CIM). known_false_positives: This detection focuses on TOR-related processes and may generate benign matches in environments where TOR is intentionally used, such as security testing, research, or lab environments. references: @@ -27,7 +45,7 @@ references: - https://attack.mitre.org/software/S0183/ - https://attack.mitre.org/techniques/T1090/003/ drilldown_searches: -- name: View the detection results for - "$dest$"" and "$user$" +- name: View the detection results for - "$dest$" and "$user$" search: '%original_detection_search% | search dest = "$dest$" user="$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ @@ -41,19 +59,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: TOR client execution process detected on host $dest$ by user $user$ + message: TOR client process $process_name$ was launched by parent process $parent_process_name$ on host $dest$ by the user $user$ with command line $process$ risk_objects: - field: dest type: system - score: 25 + score: 50 - field: user type: user - score: 25 + score: 50 threat_objects: - field: parent_process_name type: parent_process_name - field: process_name type: process_name + - field: process + type: process tags: analytic_story: - Compromised Windows Host @@ -72,6 +92,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational From 1dfc76267e70b5bc143cfb4b441d90ceb6576233 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 2 Feb 2026 15:10:15 +0100 Subject: [PATCH 3/3] Revise Windows TOR Client Execution detection details Updated the detection configuration for Windows TOR Client Execution, including changes to the description, how to implement, known false positives, and drilldown searches. --- .../endpoint/windows_tor_client_execution.yml | 106 ++++++++++++++++++ .../windows_tor_client_execution_detected.yml | 97 ---------------- 2 files changed, 106 insertions(+), 97 deletions(-) create mode 100644 detections/endpoint/windows_tor_client_execution.yml delete mode 100644 detections/endpoint/windows_tor_client_execution_detected.yml diff --git a/detections/endpoint/windows_tor_client_execution.yml b/detections/endpoint/windows_tor_client_execution.yml new file mode 100644 index 0000000000..ab4e66b0be --- /dev/null +++ b/detections/endpoint/windows_tor_client_execution.yml @@ -0,0 +1,106 @@ +name: Windows TOR Client Execution +id: f164bc6f-ecbe-45e0-aaa6-f5c4d8c84b9a +version: 1 +date: '2026-02-02' +author: Vignesh Subramanian, Splunk +status: production +type: Anomaly +description: | + The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. + Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement. + While TOR can be used for legitimate research and privacy purposes, its presence on enterprise endpoints is often unusual and should be investigated to determine intent, scope, and any associated malicious behavior. +data_source: + - CrowdStrike ProcessRollup2 + - Sysmon EventID 1 + - Windows Event Log Security 4688 +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + from datamodel=Endpoint.Processes where + ( + Processes.process_name = "tor.exe" + OR + ( + Processes.process_path = "*\\BraveSoftware\\Brave-Browser*" + Processes.process_path = "*\\tor-*" + ) + ) + by Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_tor_client_execution_filter` +how_to_implement: | + The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: | + This detection focuses on TOR-related processes and may generate benign matches in environments where TOR is intentionally used, such as security testing, research, or lab environments. +references: + - https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/ + - https://attack.mitre.org/software/S0183/ + - https://attack.mitre.org/techniques/T1090/003/ +drilldown_searches: + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: + '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: TOR client process $process_name$ was launched by parent process $parent_process_name$ on host $dest$ by the user $user$ with command line $process$ + risk_objects: + - field: dest + type: system + score: 40 + - field: user + type: user + score: 40 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name + - field: process + type: process +tags: + analytic_story: + - Compromised Windows Host + - Windows Post-Exploitation + - Command And Control + - Data Exfiltration + - Data Protection + asset_type: Endpoint + mitre_attack_id: + - T1090.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_tor_client_execution_detected.yml b/detections/endpoint/windows_tor_client_execution_detected.yml deleted file mode 100644 index 91f0c44588..0000000000 --- a/detections/endpoint/windows_tor_client_execution_detected.yml +++ /dev/null @@ -1,97 +0,0 @@ -name: Windows TOR Client Execution -id: f164bc6f-ecbe-45e0-aaa6-f5c4d8c84b9a -version: 1 -date: '2026-01-26' -author: Vignesh Subramanian, Splunk -status: production -type: Anomaly -description: The following analytic detects execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement. While TOR can be used for legitimate research and privacy purposes, its presence on enterprise endpoints is often unusual and should be investigated to determine intent, scope, and any associated malicious behavior. -data_source: -- Windows Event Log Security 4688 -- Sysmon EventID 1 -search: | - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime - from datamodel=Endpoint.Processes - where Processes.process_name = "tor.exe" - OR Processes.process_path = "*\\BraveSoftware\\Brave-Browser\\User Data\\*\\tor-*-win32-brave-*" - by Processes.action - Processes.dest - Processes.original_file_name - Processes.parent_process - Processes.parent_process_exec - Processes.parent_process_guid - Processes.parent_process_id - Processes.parent_process_name - Processes.parent_process_path - Processes.process - Processes.process_exec - Processes.process_guid - Processes.process_hash - Processes.process_id - Processes.process_integrity_level - Processes.process_name - Processes.process_path - Processes.user - Processes.user_id - Processes.vendor_product - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_tor_client_execution_filter` -how_to_implement: This detection uses the Endpoint.Processes data model and it requires Windows process creation logs from Windows Security EventCode=4688 or Sysmon EventID=1. Ensure that these events are onboarded and mapped to the Endpoint.Processes data model in accordance with the Splunk Common Information Model (CIM). -known_false_positives: This detection focuses on TOR-related processes and may generate benign matches in environments where TOR is intentionally used, such as security testing, research, or lab environments. -references: -- https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/ -- https://attack.mitre.org/software/S0183/ -- https://attack.mitre.org/techniques/T1090/003/ -drilldown_searches: -- name: View the detection results for - "$dest$" and "$user$" - search: '%original_detection_search% | search dest = "$dest$" user="$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", - "$user$") starthoursago=168 | stats count min(_time) - as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) - as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) - as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" - by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: TOR client process $process_name$ was launched by parent process $parent_process_name$ on host $dest$ by the user $user$ with command line $process$ - risk_objects: - - field: dest - type: system - score: 50 - - field: user - type: user - score: 50 - threat_objects: - - field: parent_process_name - type: parent_process_name - - field: process_name - type: process_name - - field: process - type: process -tags: - analytic_story: - - Compromised Windows Host - - Windows Post-Exploitation - - Command And Control - - Data Exfiltration - - Data Protection - asset_type: Endpoint - mitre_attack_id: - - T1090.003 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1090.003/windows_tor_client_execution/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational