This analytic detection rule identifies the execution of the sdelete.exe application, a tool developed by Sysinternals most commonly used by threat actors to securely delete files, thereby erasing forensic traces of their activities on a compromised host. The detection mechanism relies on telemetry from Endpoint Detection and Response (EDR) agents that capture process execution logs. Given that sdelete.exe is not a frequent utility in standard operational contexts, its invocation may suggest malicious intent, signaling an effort to obstruct incident investigation and response procedures. By monitoring for the use of this application, organizations can enhance their situational awareness regarding possible cover-up operations by adversaries. Confirmed instances of sdelete.exe usage could result in significant data loss that hampers forensic capabilities.