This detection rule focuses on identifying the deletion of files executed through the Sysinternals SDelete utility, a tool often used by attackers for data cleaning or disk space management. It specifically tracks files renamed with typical patterns like '.AAA' and '.ZZZ', which are commonly associated with temporary or cleanup files when SDelete is employed. Additionally, the rule contains a filter to exempt specific file deletions that pertain to legitimate usage within Wireshark, thereby reducing false positives. The rule captures these events via monitoring the Windows file_delete log source, and it aims to trigger alerts with a medium severity level when such deletions occur outside of the defined filters. It is essential for detecting potential defense evasion tactics employed by malicious actors, especially considering the use of SDelete in specific attacks.