This detection rule identifies potentially suspicious execution attempts of files that do not have standard executable extensions, such as ".exe". The rule is formulated to catch instances where process creation events initiate through unconventional means, including process ghosting, where malicious actors may evade standard detection mechanisms by executing non-standard file types. The detection logic employs various filters to exclude known benign operations, focusing on identifying risky behaviors in Windows environments. To operate effectively, the rule may require baseline data gathering, especially when integrating with third-party tools in individual user environments. The monitoring focuses primarily on process creation events, leveraging characteristics of the image being executed, such as its path and associated parent processes, to differentiate between legitimate and suspicious activities.