This rule detects the execution of the NirCmd tool with the capability to run commands as the SYSTEM user in a Windows environment. NirCmd is a command-line utility that allows users to perform a variety of tasks, including executing other programs or commands without needing an open window. The specific detection focuses on command line arguments containing 'runassystem'. Executions of commands at the SYSTEM level can be indicative of unauthorized activities or malware attempting to gain elevated privileges for persisting or executing malicious operations. This rule is particularly useful in identifying potential misuse of the NirCmd tool, which is not commonly used by regular users but could be leveraged by attackers to escalate privileges in Windows systems. Administrators should be aware that legitimate use of this utility by system administrators may occasionally trigger this detection, thus careful investigation is advised.