This rule is designed to detect the execution of NimScan, a port scanning utility that has been observed being used by adversaries in early 2025 for scanning open ports on compromised remote hosts. The detection is conducted by monitoring process creation events on Windows systems, specifically looking for processes whose image names end with 'NimScan.exe' and matching several specific hash values that correspond to known versions of the tool. The rule captures potential misuse of NimScan as a tactic for reconnaissance in cyber attacks, aiding in the identification and mitigation of such adversarial activities.