title: Suspicious Query of MachineGUID
id: f5240972-3938-4e56-8e4b-e33893176c1f
status: experimental
description: Use of reg to get MachineGuid information
author: frack113
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery
date: 2022/01/01
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: \reg.exe
        CommandLine|contains|all:
            - 'SOFTWARE\Microsoft\Cryptography'
            - '/v '
            - 'MachineGuid'  
    condition: selection
falsepositives:
    - Unknown
level: low
tags:
    - attack.discovery
    - attack.t1082