FZ / 84397453-99d6-4a8a-a11d-219287a39ce6
Curl Download Followed by MSI Execution in One Windows Command
Detects a Windows command line that combines curl retrieval of an MSI payload with msiexec execution, as observed in UNC3753 remote-support social engineering.
Sigma source
Raw YAMLtitle: Curl Download Followed by MSI Execution in One Windows Command
id: 84397453-99d6-4a8a-a11d-219287a39ce6
status: experimental
author: FRAME ZERO
date: 2026-07-14
description: Detects a Windows command line that combines curl retrieval of an MSI payload with msiexec execution, as observed in UNC3753 remote-support social engineering.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/
logsource:
category: process_creation
product: windows
detection:
selection_shell:
Image|endswith:
- '\\cmd.exe'
- '\\powershell.exe'
- '\\pwsh.exe'
selection_chain:
CommandLine|contains|all:
- 'curl'
- '.msi'
- 'msiexec'
condition: selection_shell and selection_chain
falsepositives:
- Authorized software deployment or support scripts that retrieve and install MSI packages from approved locations
level: medium
tags:
- attack.execution
- attack.t1059.003
- attack.t1204.002
telemetry_assumptions:
- Windows process creation events retain the full image path and command line.
- Parent process, user, signer, and network telemetry are available for triage.
related_publication: unc3753-vishing-extortion-law-firms
Published with UNC3753 turns helpdesk vishing into rapid data theft.