NirCmd is a versatile command line utility created by Nir Sofer that allows for various administrative tasks such as deleting files from the Recycling Bin, modifying Windows registry keys, taking screenshots, and executing commands without a user interface. Although it is a legitimate tool frequently used by system administrators, it has been co-opted by malicious actors like the Mint Sandstorm group (also known as PHOSPHORUS) to execute harmful code by disguising it under different names. This detection rule targets instances where NirCmd.exe is called or where command line arguments are indicative of potentially abusive activity, even in scenarios where the executable has been renamed. The logic incorporates both explicit references to NirCmd and broader command patterns typical of its malicious applications. It uses Splunk logic to filter for relevant processes and their arguments, allowing security analysts to identify and respond to these potentially harmful executions effectively. To enhance the efficacy of this detection, it is advised to allowlist known legitimate use cases of the utility that employ the same command line structures.