Security

Does anyone have anything official/definitive for why brand new ClearPass servers would trip alerts for the presence of Impacket tools? These are band new Azure VMs, created from the Azure Marketplace model from HPE, version 6.12. The servers are accessible from internal only, they do not have public IPs, so I would think the chances that both times someone was able to hack them at the same point is extremely slim. We saw the same alerts some months ago when we built a couple of CP servers with version 6.11 as well. At the time. our MSP indicated that they have seen it with new ClearPass servers on other clients they have that use Aruba equipment. I've run multiple searches but nobody seems to have posted about the ClearPass/Impacket combination so I'd like to get more than a single anecdotal confirmation that it is a false positive. I'm aware that Impacket is basically just an open source python set of tools that are notably used by some hacking tools, but seem to have legit uses also.

Can anyone clarify further?

TIA
John

Does anyone have anything official/definitive for why brand new ClearPass servers would trip alerts for the presence of Impacket tools? These are band new Azure VMs, created from the Azure Marketplace model from HPE, version 6.12. The servers are accessible from internal only, they do not have public IPs, so I would think the chances that both times someone was able to hack them at the same point is extremely slim. We saw the same alerts some months ago when we built a couple of CP servers with version 6.11 as well. At the time. our MSP indicated that they have seen it with new ClearPass servers on other clients they have that use Aruba equipment. I've run multiple searches but nobody seems to have posted about the ClearPass/Impacket combination so I'd like to get more than a single anecdotal confirmation that it is a false positive. I'm aware that Impacket is basically just an open source python set of tools that are notably used by some hacking tools, but seem to have legit uses also.

Can anyone clarify further?

TIA
John

Does anyone have anything official/definitive for why brand new ClearPass servers would trip alerts for the presence of Impacket tools? These are band new Azure VMs, created from the Azure Marketplace model from HPE, version 6.12. The servers are accessible from internal only, they do not have public IPs, so I would think the chances that both times someone was able to hack them at the same point is extremely slim. We saw the same alerts some months ago when we built a couple of CP servers with version 6.11 as well. At the time. our MSP indicated that they have seen it with new ClearPass servers on other clients they have that use Aruba equipment. I've run multiple searches but nobody seems to have posted about the ClearPass/Impacket combination so I'd like to get more than a single anecdotal confirmation that it is a false positive. I'm aware that Impacket is basically just an open source python set of tools that are notably used by some hacking tools, but seem to have legit uses also.

Can anyone clarify further?

TIA
John

Finally heard back from HPE:

They confirmed that this is a Known issue that has been already raised up to their engineering team. The recommend upgrading to ClearPass v6.12.2 to avoid alerts like those ones.

Regarding the Impacket library, those are installed as a part of the ClearPass policy manager. They're used to enable the Agentless OnGuard on windows machines. If that is configured, then the files are executed. If Agentless OnGuard is not configured, then the files are not executed

Does anyone have anything official/definitive for why brand new ClearPass servers would trip alerts for the presence of Impacket tools? These are band new Azure VMs, created from the Azure Marketplace model from HPE, version 6.12. The servers are accessible from internal only, they do not have public IPs, so I would think the chances that both times someone was able to hack them at the same point is extremely slim. We saw the same alerts some months ago when we built a couple of CP servers with version 6.11 as well. At the time. our MSP indicated that they have seen it with new ClearPass servers on other clients they have that use Aruba equipment. I've run multiple searches but nobody seems to have posted about the ClearPass/Impacket combination so I'd like to get more than a single anecdotal confirmation that it is a false positive. I'm aware that Impacket is basically just an open source python set of tools that are notably used by some hacking tools, but seem to have legit uses also.

Can anyone clarify further?

TIA
John

Does anyone have anything official/definitive for why brand new ClearPass servers would trip alerts for the presence of Impacket tools? These are band new Azure VMs, created from the Azure Marketplace model from HPE, version 6.12. The servers are accessible from internal only, they do not have public IPs, so I would think the chances that both times someone was able to hack them at the same point is extremely slim. We saw the same alerts some months ago when we built a couple of CP servers with version 6.11 as well. At the time. our MSP indicated that they have seen it with new ClearPass servers on other clients they have that use Aruba equipment. I've run multiple searches but nobody seems to have posted about the ClearPass/Impacket combination so I'd like to get more than a single anecdotal confirmation that it is a false positive. I'm aware that Impacket is basically just an open source python set of tools that are notably used by some hacking tools, but seem to have legit uses also.

Can anyone clarify further?

TIA
John

Hi,

I also being asked same thing to customer, but apparently perhaps they never read fully that their report also pointing me to this thread.

I am currently already patched theirs to 6.12.7

Dear Client,We have observed similar Azure Microsoft Defender for Cloud security alerts on the Azure virtual machine <cust_cppm_node>2, which appears to be a ClearPass Policy Manager (CPPM) server(image ID: hewlettpackardenterprise1:aruba_cppm_6-12:clearpass_6_12_0:latest) created on 7 April 2026. Additionally, the instance is exposed to 1054 vulnerabilities, including 565 classified as critical or high by Orca. No high/critical severity risks or Attack Paths were detected.The following agentless alerts were generated on the VM:•	"Impacketsmbrelax" hacktool detected (Agentless)•	"Impacket" hacktool detected (Agentless)•	"Sharpscshell" malware detected (Agentless)Initial analysis indicates that these alerts may have been triggered by the presence of Impacket version 0.9.22 installed on the server. Based on publicly available HPE Aruba ClearPass community discussions, Impacket is included as part of the ClearPass Policy Manager software stack and is typically utilized only when Agentless OnGuard functionality is configured and in use.While ClearPass may legitimately include Impacket binaries, Microsoft Defender may still flag these components due to their dual use nature. Additionally, the Sharpscshell detection is not a standard ClearPass component, and therefore warrants further validation to rule out the presence of unrelated suspicious files or potential compromise.To accurately determine whether these alerts represent benign ClearPass components, it is essential to validate the exact files, file paths, or hashes that triggered the detections.Reference:https://airheads.hpe.com/discussion/impacket-alerts-on-new-clearpass-servers - HPE Aruba ClearPass community discussionhttps://app.orcasecurity.io/alerts/orca-134818 - Orca alert linkRecommendations:Given that VM <cust_cppm_node>2 was only recently deployed and is running ClearPass Policy Manager, the alerts may be associated with legitimate application components. To proceed with a definitive assessment, we kindly request your assistance with the following:1.	Provide or review the alert details (file names, file paths, and hashes) from the Azure Defender alerts so that Lumen can perform a deeper validation.2.	Confirm with HPE Aruba whether: o	Impacket version 0.9.22 and related packages are required for your ClearPass deployment.3.	If confirmed as benign, consider suppressing these alerts using Azure Defender alert suppression rules to prevent recurring false positives:https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rulesAzure Alert Links:•	Sharpscshell malware detected (Agentless):https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/cc604d02-be55-3dce-dc15-dffb65177315/subscriptionId/e631b7cf-0649-428d-8f77-d0846901b1fd/resourceGroup/AGS-SH-CPPM1-RG/referencedFrom/alertDeepLink/location/centralus•	Impacket hacktool detected (Agentless):https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/569bcc25-dcbf-25b9-bfc8-f0c6a81392dc/subscriptionId/e631b7cf-0649-428d-8f77-d0846901b1fd/resourceGroup/AGS-SH-CPPM1-RG/referencedFrom/alertDeepLink/location/centralus•	Impacketsmbrelax hacktool detected (Agentless):

Does anyone have anything official/definitive for why brand new ClearPass servers would trip alerts for the presence of Impacket tools? These are band new Azure VMs, created from the Azure Marketplace model from HPE, version 6.12. The servers are accessible from internal only, they do not have public IPs, so I would think the chances that both times someone was able to hack them at the same point is extremely slim. We saw the same alerts some months ago when we built a couple of CP servers with version 6.11 as well. At the time. our MSP indicated that they have seen it with new ClearPass servers on other clients they have that use Aruba equipment. I've run multiple searches but nobody seems to have posted about the ClearPass/Impacket combination so I'd like to get more than a single anecdotal confirmation that it is a false positive. I'm aware that Impacket is basically just an open source python set of tools that are notably used by some hacking tools, but seem to have legit uses also.

Can anyone clarify further?

TIA
John