diff --git a/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml b/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml
new file mode 100644
index 000000000..4f802b9ae
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml
@@ -0,0 +1,24 @@
+title: Mimikatz through Windows Remote Management  
+description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
+references:
+    - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
+status: stable
+author: Patryk Prauze - ING Tech
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 10
+        TargetImage: 'C:\windows\system32\lsass.exe'
+        SourceImage: 'C:\Windows\system32\wsmprovhost.exe'
+    condition: selection
+tags:
+    - attack.credential_access
+    - attack.execution
+    - attack.t1003
+    - attack.t1028
+    - attack.s0005	
+falsepositives:
+    - low
+level: high