The rule 'Execution Of Non-Existing File' is designed to detect suspicious process creation events on Windows systems where the image name lacks a full, absolute path. This technique may indicate potential evasion tactics such as process ghosting, where attackers create or start processes in non-standard ways to avoid detection. The detection logic checks for the presence of a backslash in the image path (indicative of a proper absolute file path) and filters out known benign image names or empty/null values. If a process creation event occurs without a valid full path and is not flagged by any of the defined filters, it raises an alert. This rule is particularly pertinent for identifying unconventional process initiation methods that could facilitate malware execution or other malicious activities. The rule also includes a reference to further reading about process ghosting, enhancing understanding of the threat vector addressed.