update: added azure vm run command rule

Author: vl43den

rules/cloud/azure/activity_logs/azure_vm_run_command_execution.yml

@@ -0,0 +1,32 @@
+title: Azure VM Run Command Execution
+id: 5a2e6f43-85f2-4e6a-8d3b-9c2e1f4a5b6c
+status: experimental
+description: |
+    Detects the execution of the 'Run Command' action on an Azure Virtual Machine via the Azure Activity Log.
+    Adversaries with 'Virtual Machine Contributor' rights (and higher) can use this to execute arbitrary code even when NSGs block SSH/RDP.
+author: Vladan Sekulic
+date: 2025-12-17
+references:
+    - https://cloud.google.com/blog/topics/threat-intelligence/azure-run-command-dummies
+    - https://cloud.google.com/blog/topics/threat-intelligence/russian-targeting-gov-business?hl=en
+    - https://learn.microsoft.com/azure/virtual-machines/run-command
+logsource:
+    product: azure
+    service: activitylogs
+detection:
+    selection:
+        operationName:
+            - 'Microsoft.Compute/virtualMachines/runCommand/action'
+            - 'Microsoft.Compute/virtualMachines/runCommands/write'
+        status:
+            - 'Started'
+            - 'Succeeded'
+    condition: selection
+falsepositives:
+    - Legitimate system administration
+    - Automated configuration or patching workflows
+    - Azure Automation and Automanage operations
+level: medium
+tags:
+    - attack.execution
+    - attack.t1059