Create spnego_http.yaml

miscellaneous/spnego_http.yaml

@@ -0,0 +1,30 @@
+id: SPNEGO_HTTP
+
+info:
+  name: Identifying SPNEGO over HTTP (might be useful for finding CVE-2022-37958)
+  author: @lady_bug, @ruppde
+  severity: Info
+  reference:
+    - https://arstechnica.com/information-technology/2022/12/critical-windows-code-execution-vulnerability-went-undetected-until-now/?utm_social-type=owned&utm_source=twitter&utm_medium=social&utm_brand=ars
+  tags: misc,windows
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    redirects: true
+    max-redirects: 5
+
+    threads: 10
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(tolower(all_headers), 'www-authenticate: negotiate')"
+
+    extractors:
+      - type: kval
+        kval:
+          - 'www_authenticate'