This detection rule identifies the potential secure deletion of files using SDelete, a utility that overwrites deleted files to ensure they cannot be easily recovered. The rule focuses on detecting the file operations associated with extensions typically linked to SDelete activity, specifically looking for events generated during the file deletion process. It triggers on specific Windows event IDs (4656, 4663, and 4658), which correspond to file access and modification activities, when files with extensions such as .AAA or .ZZZ are involved. While SDelete can be used for legitimate purposes, such as securely wiping sensitive information, this detection aims to flag potential misuse where these extensions might indicate an attempt to obscure file deletion from view. Administrators should investigate alerts generated by this rule, considering both the context and intent behind the file deletions to differentiate between malicious actions and benign usage.