This detection rule identifies potentially malicious uses of the SDelete tool, which is a command-line utility from Sysinternals used to securely delete files and free up disk space. Specifically, this rule flags instances where SDelete is executed to erase a specific file rather than free space, which could indicate an attempt by an attacker to obscure their activities or delete evidence on the file system. The detection focuses on monitoring the process creation events in Windows environments for the execution of 'sdelete.exe' while excluding commands commonly associated with help queries or operations that target free space. By filtering out these benign uses, the detection aims to highlight potentially malicious activities that warrant further investigation.