21: Why does Microsoft 365 Defender report suspicious encoded content in PolicyPak Application Settings Manager values?
Dec 21, 2021
1951
The following PolicyPak registry value’ data may be flagged as suspicious encoded content.
Location: HKEY_CURRENT_USER\S-1-5-21-...\Software\Policies\PolicyPak\{26E3A6CB-3C62-47B7-960D-7662766E4C6A}\Name-of-the-AppSet\
Value: (XmlReport)
We have reports that it is reported under Microsoft Defender’s category MITRE ATT&CK Techniques, and suspicious activity classified as T1001:Data Obfuscation.
The data in this reg value is in base64 encoding format and it's responsible to store information for XML reporting purposes. Its classification as a high severity issue can be ignored.
More information about T1001:Data Obfuscation is at this link: https://attack.mitre.org/techniques/T1001/
