This detection rule identifies instances of excessive usage of the `taskkill.exe` command-line utility, which is often exploited by adversaries to disable security tools and evade detection. The rule triggers when `taskkill.exe` is executed ten or more times within a one-minute window, indicating potentially malicious behavior. The detection leverages data from Endpoint Detection and Response (EDR) agents, specifically analyzing Sysmon EventID 1 and Windows Event Log Security Event 4688, along with data retrieved from CrowdStrike's ProcessRollup2. Acknowledging that legitimate users may also occasionally execute this command multiple times, the rule highlights the need for further investigation when such behavior is detected, particularly in contexts where critical system processes are being terminated.