NirCmd is a versatile command line utility commonly used for administrative tasks such as deleting files from the Recycling Bin, modifying registry keys, taking screenshots, and executing commands without a user interface. While it has legitimate purposes, it has also been exploited by threat actors, notably the Mint Sandstorm group, for malicious activities by renaming NirCmd to execute harmful code. This detection rule identifies executions of NirCmd.exe and specific command line argument patterns associated with abuse, including renamed versions of the utility. Monitoring for these patterns is crucial, given the tool's legitimate use cases and potential for abuse.