diff --git a/miscellaneous/spnego.yaml b/miscellaneous/spnego.yaml
new file mode 100644
index 00000000000..b931e446cad
--- /dev/null
+++ b/miscellaneous/spnego.yaml
@@ -0,0 +1,33 @@
+id: spnego
+
+info:
+  name: SPNEGO - Detect
+  author: lady_bug,ruppde
+  severity: info
+  description: |
+    SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism. It is a protocol used for secure authentication and negotiation between client and server applications in a network environment. SPNEGO is based on the Generic Security Services Application Programming Interface (GSSAPI) framework.
+  reference:
+    - https://www.ibm.com/docs/en/was-liberty/core?topic=authentication-single-sign-http-requests-using-spnego-web
+    - https://arstechnica.com/information-technology/2022/12/critical-windows-code-execution-vulnerability-went-undetected-until-now/
+  metadata:
+    verified: true
+    shodan-query: 'www-authenticate: negotiate'
+  tags: misc,windows,spnego
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 5
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(tolower(all_headers), 'www-authenticate: negotiate')"
+
+    extractors:
+      - type: kval
+        kval:
+          - 'www_authenticate'