This detection rule is focused on identifying the suspicious behavior of a process terminating, followed closely by the deletion of its executable file, a possible indication of malicious activity or malware attempting to cover its tracks. The rule specifically looks for unsigned process termination events that are quickly followed by deletion events within a short time span (max span of 5 seconds) on Windows hosts. The SQL-like EQL (Event Query Language) queries check for processes that do not have trusted signatures and exclude known benign processes and their deletion to reduce false positives. The rule includes a detailed investigation guide to assist security analysts in tracing back how processes were executed, their parenting relationships, and potential suspicious activities related to the process life cycle around deletions. Additionally, it outlines a response plan if malware is detected and highlights integration with Osquery to provide deeper insights into system states, DNS cache and running services, enhancing overall visibility into the endpoint security landscape.