This rule aims to detect instances where the Windows command line utility 'net.exe' is executed with a password included in its command parameters. Specifically, it looks for the execution of commands that typically involve the 'use' parameter, which is commonly associated with accessing shared resources such as network drives. The rule inspects the command line arguments for specific patterns that indicate a password is being transmitted in plaintext, which could indicate potential misuse or credential leakage. The detection logic consists of two primary selection criteria: it identifies occurrences where 'net.exe' or its variant 'net1.exe' are executed and checks if the command line contains sensitive patterns indicative of password usage. Additionally, false positive scenarios are recognized where the true intent of the command can't be definitively identified. Given the context of the rule, it highlights the risks associated with credential exposure through command line operations, a common tactic used for lateral movement or establishing unauthorized access in a compromised environment. The detection level is considered medium, placing it as a notable alert that warrants further investigation, especially in environments where security policies prohibit exposing credentials in command lines.