Detects non-system process activity that creates CldFlt0.etl under the CloudFiles log directory (C:\Windows\System32\LogFiles\CloudFiles\). The CldFlt driver initializes this path when a process calls CfRegisterSyncRoot() or CfConnectSyncRoot(). In the RedSun intrusion scenario, DoCloudStuff() triggers a fake sync provider to generate a cloud-tagged bait file, a behavior that legitimate cloud providers (e.g., OneDrive) avoid by running sync roots from SYSTEM-level services rather than user-context executables. The rule leverages Sysmon Event ID 11 (FileCreate) and filters TargetFilename to the CloudFiles directory, excluding common system image paths (Windows System32, SysWOW64, and WindowsApps). It aggregates events by action, destination, file name/path, image, and process GUID, then renders first/last seen times and applies a detection filter. This combination flags anomalous creation of cloud-files filter logs by non-system processes, which is indicative of privilege escalation activity associated with RedSun. The rule is tied to Windows endpoints and is intended to detect exploitation patterns around cloud storage integration mechanisms. The rule is mapped to MITRE ATT&CK technique T1068 (Privilege Escalation).