This detection rule identifies the execution of script interpreters on macOS, specifically targeting instances where such scripts establish outbound connections to raw IP addresses using non-standard ports. This behavior is indicative of many initial access scripts and malware implants, which often circumvent detection methods by connecting directly to command and control (C2) or payload servers over atypical ports. By detecting these patterns, security teams can identify potentially malicious activities that escape traditional monitoring techniques. The rule operates by analyzing process execution events for known interpreters (Python, Node.js, Ruby) quickly followed by corresponding outbound network events to suspicious IP addresses and ports. The investigation process outlines various steps for analysts to ascertain whether the script execution was benign or malicious, emphasizing the importance of evaluating the context of these connections, especially when unusual ports are used for communication.