This rule detects the execution of unsigned or untrusted binaries on macOS systems that subsequently establish outbound network connections to raw IP addresses via non-standard ports. Unsigned binaries are often indicative of malicious software, while the use of non-standard ports is a common tactic employed by attackers to evade traditional network security measures and connect to command-and-control (C2) servers. The EQL (Event Query Language) rule monitors processes that are not trusted and cross-references them with network events to identify potential C2 activities. Investigative steps include analyzing process characteristics, checking code signatures, reviewing network traffic destinations, and correlating with other events to unveil malicious behavior. The rule also provides guidance on analyzing false positives and necessary response measures, such as terminating processes, blocking IPs, and conducting thorough system scans.