This Elastic rule detects the first-time occurrence on a macOS host where a Python process spawns an interactive or non-interactive shell using the -c flag. The detection uses a New Terms approach to surface a first occurrence within a 7-day window, leveraging process and parent-process relationships (process.parent.executable) on the host. The rule targets scenarios where a Python process (process.parent.name: python*) launches a shell (bash, dash, sh, tcsh, csh, zsh, ksh, fish) with the -c argument, and excludes common benign cases such as pip/conda/brew/jupyter activities to reduce false positives. This pattern is indicative of attackers attempting to leverage Python code execution to perform reconnaissance, credential access, persistence, or reverse shell activity, especially after model loading, deserialization, or script execution. The rule maps to MITRE ATT&CK T1059.006 (Python) under the Execution tactic, highlighting a command-and-scripting-interpreter activity. It provides explicit triage guidance, false-positive considerations, and remediation steps within the rule’s analysis, enabling rapid investigation of whether a Python runtime spawned a shell for malicious purposes. The detection is designed to surface novel, potentially malicious behavior that would not occur in typical Python workflows. References and context are provided to aid incident response and threat-hunting efforts.