NirCmd is a lightweight command-line utility that enables various administrative tasks, such as taking screenshots, deleting files from the Recycle Bin, and modifying registry keys, without a user interface. Its legitimate use cases make it a handy tool for system administrators; however, its capabilities have attracted malicious actors, including the Mint Sandstorm (also known as PHOSPHORUS) group, which has been known to use renamed instances of NirCmd to execute harmful codes stealthily. This detection rule targets the execution of NirCmd.exe and command-line patterns that indicate potential abuse linked to its functionalities. The rule employs regex filtering to identify instances where NirCmd is executed in various forms, accounting for scenarios where the executable might be altered. It is advisable to allowlist known benign uses of NirCmd with legitimate command-line arguments to reduce false positives effectively. The logic for this detection is scripted in Splunk, highlighting events that match certain criteria related to NirCmd's operations and correlating them with PowerShell logs and other relevant data points.