This detection rule aims to capture the execution of a renamed binary of "NirCmd.exe", known for its versatility as a command-line utility that allows the execution of various tasks on Windows systems. The rule analyzes process creation events to identify instances where the original file name matches "NirCmd.exe" while the executing image has been renamed, as indicated by certain metadata fields. The metadata is crucial because malicious actors often rename known utilities to evade detection when leveraging them in attacks. By specifying conditions on both the original file name and the path of the main executable image, the rule effectively filters out legitimate uses of the program while flagging potentially malicious executions. This functionality is particularly important given recent observed tactics employed in cyber campaigns that utilize tools like NirCmd for executing unauthorized commands or for defense evasion. The rule is categorized under various attack tactics such as execution, defense evasion, and is tailored primarily for a Windows environment.