This rule detects the use of the Sysinternals SDelete utility, which is known for securely deleting files by overwriting and renaming them multiple times to make recovery impossible. While this tool has legitimate purposes, it can also be exploited by attackers, particularly after ransomware or data theft incidents, to erase traces of their activities and impair recovery efforts. The detection is based on identifying file name patterns typically associated with SDelete operations. Analysts are advised to investigate the context of the file deletions, examining the processes involved, user activities, and command line details to distinguish between legitimate administrative actions and potential malicious behavior. The rule incorporates considerations for false positives, particularly given that SDelete is a dual-use tool, which may necessitate a closer look at administrative knowledge of its use. In cases of suspected malicious use, a systematic incident response plan is recommended including isolation of affected machines, credential protection, and examination of overall system integrity.