The rule 'Weak or Abused Passwords In CLI' aims to identify weak or commonly abused passwords through command line interfaces (CLI) in a Windows environment. This detection focuses on unauthorized user creation activities, where threat actors typically employ weak passwords inline via the command line, using the 'net' command to create new users. The rule checks for specific command line patterns indicative of weak passwords, such as '123456789', 'P@ssw0rd!', and other frequently abused passwords associated with cyber threats. This helps organizations detect potential misuse of CLI commands to create accounts that could facilitate unauthorized access or lateral movement within a network. The detection condition is satisfied if any command line input contains these weak passwords, thus enabling security teams to respond proactively to such potential threats. Implementing this detection reduces the risk of password abuse by flagging such attempts for further investigation.