This detection rule identifies the execution of the Tor client or Tor Browser on Windows systems. It specifically looks for processes that are initiated with the executable files 'tor.exe' or 'firefox.exe', which is part of the Tor Browser installation path. The detection is essential for security teams monitoring for potential command-and-control (C2) traffic that utilizes onion routing networks for obfuscation. Since Tor enables anonymized browsing and can be used by threat actors to communicate securely, identifying its usage is crucial for detecting potential malicious activity. The rule is categorized under high severity due to the risks associated with unauthorized usage of such tools, particularly in environments where sensitive data is handled. False positives may occur, as the detection could trigger on legitimate use cases including privacy-focused browsing or research. Proper context and analysis are required to confirm any alerts generated by this rule.