Potentially Suspicious Load of Cldapi DLL

Rule Info

Name
Potentially Suspicious Load of Cldapi DLL
Author
Aziz Farghly
Description
Detects the potential suspicious loading of the Cldapi.dll, which is associated with Windows Cloud Files API. While Cldapi.dll is a legitimate system component, its loading can be abused by attackers to execute code in the context of trusted processes or escalate privilege like in Green Plasma.
Reference
https://github.com/Nightmare-Eclipse/GreenPlasma
Date
2026-05-27 00:00:00
Modified
None
Id
0d0a1f9b-3c54-4f1c-b15d-1c0a9c1b7d54
Tags
attack.privilege-escalation attack.t1068
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022