Detects suspicious shell command execution via the Python interpreter on Linux and macOS endpoints. The rule targets scenarios where a Python process spawns a shell (bash, sh, dash, etc.) and executes commands with -c/-lc/-cl, indicating an attacker attempting to run arbitrary shell commands from Python. It narrows to Python as a parent, validated by process.parent.name patterns like python*, and restricts the child process to common shells. A secondary check uses event.action == "exec" and process.args containing -c/-lc to confirm command execution. The rule then maps process.command_line patterns to intent categories (grep, find, curl, environment_enumeration, wget, whoami/uname/hostname mapped to discovery/other) to identify reconnaissance or data exfiltration behaviors. It aggregates results in 1-minute windows, counting distinct command lines and distinct pattern categories per (host, agent, process parent) context. Detection triggers when at least 5 distinct shell command lines and at least 4 distinct command-line pattern categories are observed, suggesting multi-command, multi-pattern activity typical of an attacker attempting to execute multiple commands via Python. MITRE ATT&CK mapping links this to T1059 (Command and Scripting Interpreter) with subtechnique T1059.006 (Python) under Execution (TA0002). The rule is labeled with a medium severity and risk score of 47, emphasizing its role in identifying potentially hostile post-exploitation or lateral movement attempts on Linux/macOS endpoints. This rule is intended for endpoint telemetry (logs-endpoint.events.process-*) and is part of Elastic Defend data sources, reflecting cross-platform execution activity rather than Windows-focused indicators.