Technical summary: This anomaly rule detects when cldapi.dll from the Windows Cloud Files API is loaded by a process not associated with legitimate cloud sync activity. The rule targets Sysmon EventID 7 (ImageLoaded) to identify image loads of cldapi.dll and excludes known legitimate cloud clients and common Windows system processes to mitigate false positives. When a match is found, it aggregates by computer, the loaded image, and process context, capturing firstTime and lastTime for investigative visibility. The Windows Cloud Files API has been implicated in local privilege escalation exploits, so this heuristic aims to surface suspicious usage of cldapi.dll by non-standard processes. Operators should verify the executable context, cross-check digital signature indicators (service_dll_signature_exists/verified), and correlate with path, hash, and user information. False positives may occur with other third-party cloud storage software; tailor the whitelist to the environment. Requires endpoint telemetry with the driver loaded and digital signature data; Sysmon v6.0.4+ with the appropriate Sysmon TA is recommended.