diff --git a/rules/windows/process_creation/win_susp_net_use_password_plaintext.yml b/rules/windows/process_creation/win_susp_net_use_password_plaintext.yml
new file mode 100644
index 000000000..308c779fd
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_net_use_password_plaintext.yml
@@ -0,0 +1,21 @@
+title: Password provided in command line of net.exe
+id: d4498716-1d52-438f-8084-4a603157d131
+status: experimental
+description: Detects a when net.exe is called with a password in the command line
+references:
+    - Internal Research
+author: Tim Shelton (HAWK.IO)
+date: 2021/12/09
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: C:\Windows\System32\net.exe
+    selection_special:
+        - Image|re:
+            - 'net.*use [a-zA-]\:\s+\\\\[^\s]+\s+\/USER:\s*[^\s]+\s+([^\s]+)'
+    condition: all of selection*
+falsepositives:
+    - Unknown
+level: high