This detection rule identifies potentially malicious recursive deletion of executable files on Windows systems. By analyzing Sysmon Event Codes 23 and 26, it tracks a high volume of deletions of critical file types such as .exe, .sys, and .dll. This type of behavior is often linked with destructive malware that aims to sabotage system recovery efforts, triggering widespread data loss and operational disruption. The rule sets a threshold (100 deletions within a 2-minute window) to trigger alerts, ensuring only significant activities are flagged. Implementing this detection requires ingesting process execution logs via Sysmon, ensuring proper configuration to mitigate false positives from legitimate software uninstallation or cleanup operations.