The 'PUA - NirCmd Execution' rule is designed to detect instances where the NirCmd utility is invoked for command execution on Windows systems. NirCmd is a legitimate command-line tool that allows users to perform various tasks without the need for a GUI. However, its versatility can also be exploited by malicious actors to execute arbitrary commands under the guise of legitimate administrative activity. This detection rule identifies the execution of NirCmd by monitoring specific attributes of the process creation events. The rule focuses on two primary selection criteria: checking if the executing image ends with 'NirCmd.exe' or if the original file name is 'NirCmd.exe'. Additionally, the rule looks for specific command-line arguments associated with NirCmd's execution patterns, such as 'execmd', '.exe script', and 'runinteractive', among others. The detection logic is defined such that an alert is raised if any of the selection criteria are met or if any of the specified command execution patterns occur. This approach helps to balance sensitivity to potentially malicious use against the legitimate uses of NirCmd by administrators.