NirCmd is a versatile command line utility that allows users to perform various administrative tasks such as modifying system settings, taking screenshots, and executing commands without a visible interface. Despite its legitimate uses, it has been co-opted by threat actors, notably the Mint Sandstorm group, to execute malicious activities under the guise of legitimate processes. This detection rule identifies instances of NirCmd execution, particularly looking for command line patterns typically associated with its misuse, even when the executable has been renamed. The rule employs Splunk's capabilities to monitor and filter events specifically for NirCmd executions, capturing key fields such as process names and parent processes. Recommendations include allowing legitimate usage while maintaining vigilance against malicious executions.