add Azure Run Command script drop detection

adds new detection rule for PowerShell scripts created by the Azure Run Command feature on Windows hosts which addresses a visibility gap where Azure Activity Logs do not capture the script content.

Author: vl43den

rules/windows/file/file_event/file_event_win_azure_run_command_script_drop.yml

@@ -0,0 +1,34 @@
+title: Azure Run Command Script File Creation
+id: 3f896781-c907-4781-b018-781907152519
+related:
+    - id: 5a2e6f43-85f2-4e6a-8d3b-9c2e1f4a5b6c
+      type: similar
+status: test
+description: |
+    Detects creation of PowerShell scripts in the Azure Run Command plugin directory.
+    According to Mandiant research, Azure Activity Logs don't capture script contents by default,
+    making file monitoring critical for detecting malicious commands. Scripts are downloaded to
+    a predictable path before execution, allowing detection of the actual malicious code being
+    pushed to virtual machines via Azure Run Command.
+author: Vladan Sekulic
+date: 2025-12-17
+references:
+    - https://cloud.google.com/blog/topics/threat-intelligence/azure-run-command-dummies
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|contains|all:
+            - '\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\'
+            - '\Downloads\script'
+        TargetFilename|endswith: '.ps1'
+    condition: selection
+falsepositives:
+    - Legitimate administrative scripts executed via Azure Run Command
+    - Automated patching and configuration management
+    - Azure Automation runbooks
+level: medium
+tags:
+    - attack.execution
+    - attack.t1059.001