FZ / 84397453-99d6-4a8a-a11d-219287a39ce6

Curl Download Followed by MSI Execution in One Windows Command

Detects a Windows command line that combines curl retrieval of an MSI payload with msiexec execution, as observed in UNC3753 remote-support social engineering.

Sigma source

Raw YAML
title: Curl Download Followed by MSI Execution in One Windows Command
id: 84397453-99d6-4a8a-a11d-219287a39ce6
status: experimental
author: FRAME ZERO
date: 2026-07-14
description: Detects a Windows command line that combines curl retrieval of an MSI payload with msiexec execution, as observed in UNC3753 remote-support social engineering.
references:
  - https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/
logsource:
  category: process_creation
  product: windows
detection:
  selection_shell:
    Image|endswith:
      - '\\cmd.exe'
      - '\\powershell.exe'
      - '\\pwsh.exe'
  selection_chain:
    CommandLine|contains|all:
      - 'curl'
      - '.msi'
      - 'msiexec'
  condition: selection_shell and selection_chain
falsepositives:
  - Authorized software deployment or support scripts that retrieve and install MSI packages from approved locations
level: medium
tags:
  - attack.execution
  - attack.t1059.003
  - attack.t1204.002
telemetry_assumptions:
  - Windows process creation events retain the full image path and command line.
  - Parent process, user, signer, and network telemetry are available for triage.
related_publication: unc3753-vishing-extortion-law-firms

Published with UNC3753 turns helpdesk vishing into rapid data theft.