This analytic detection rule focuses on identifying instances where the `taskkill` command is used in process command lines to terminate known web browser processes such as Chrome, Edge, and Firefox. The underlying motive for this command execution is often associated with the Braodo stealer malware, which utilizes this tactic to close browsers and consequently unlock files that contain sensitive information, including user credentials. By detecting these instances early, security teams can take proactive measures against potential credential theft and system compromise. The detection relies on telemetry data derived from Sysmon Event ID 1, leveraging Splunk's data modeling capabilities to filter and analyze the relevant process activity. The implementation requires proper ingestion of EDR logs that capture command line executions and the appropriate normalization of fields to integrate with the Splunk Common Information Model (CIM).