Abuse of JamPlus.exe to launch malicious payloads via crafted .jam files, resulting in abnormal process creation, command execution, or artifact generation outside of standard development workflows.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3, 22 |
| Process Metadata (DC0034) | WinEventLog:Microsoft-Windows-CodeIntegrity/Operational | Unsigned or untrusted modules loaded during JamPlus.exe runtime |
| Field | Description |
|---|---|
| TimeWindow | Correlation time window (e.g., 0–30 minutes) for JamPlus.exe execution, child processes, and file/network events. |
| AllowedBuildHosts | Known developer systems where JamPlus.exe usage is expected; alerts are raised if executed elsewhere. |
| SuspiciousChildList | Child processes considered anomalous (e.g., PowerShell, cmd, wscript) when spawned by JamPlus.exe. |
| RarePathRegex | Regex patterns for non-standard or user-writable paths where JamPlus.exe drops artifacts. |