This rule aims to detect the execution of Windows command-line commands 'del' and 'erase', which are typically used for deleting files on the system. An adversary may leverage these commands to remove potentially incriminating files that were introduced into the system during an intrusion. The action of deleting files can occur either during the initial stages of an attack to cover tracks or as a post-intrusion cleanup operation. With its detection, the rule highlights the need to monitor for suspicious command-line activity that could indicate an effort to conceal evidence of malicious actions. The rule generates alerts based on specific characteristics of process creation events that involve command-line arguments typically associated with file deletion. Such characteristics include the invocation of 'cmd.exe' and the presence of 'del' or 'erase' commands in the command line. Moreover, the detection incorporates flags that might modify the behavior of these commands, enhancing the accuracy of threat detection while aiming to minimize false positives, which could occur due to legitimate administrative activities.