This rule identifies the execution of legitimate tools created by NirSoft, which, despite their benign intent, can be exploited by cyber attackers for malicious activities such as credential theft and system reconnaissance. The detection mechanism focuses on specific command-line arguments associated with these tools, including '/stext' and '/scomma'. The rule processes telemetry data generated from Endpoint Detection and Response (EDR) agents, capturing important details such as process names, parent processes, and command-line arguments through Sysmon and Windows Event Log. This capability is crucial for recognizing potentially harmful behavior associated with these tools, enabling organizations to take appropriate action against unauthorized access attempts, data exfiltration, or broader system compromise. To implement this rule effectively, appropriate logging and integration with security monitoring systems such as Splunk is necessary, including the ingestion of process execution logs along with accurate mapping to the Endpoint data model. A vigilant analysis of detected events is advised to minimize false positives and ensure that detected activities are verified for legitimate use.