rule_id: R0011
rule_version: 1
name: scripting_interpreter_exec
description: |
  Generic command-and-scripting-interpreter signal — python -c,
  perl -e, ruby -e, node -e, bash -c, php -r. Sub-technique-less
  T1059 catch-all that complements R0010 (Unix-specific).
applies_to:
  - command
match:
  field: command_text
  pattern: '(?i)\b(python[23]?|perl|ruby|node|php)\s+-[ce]\b|/bin/bash\s+-c\b|/bin/sh\s+-c\b'
emits:
  - tactic: TA0002
    technique_id: T1059
    confidence: 0.7
evidence_fields:
  - command_text