Adversaries may use JamPlus to proxy the execution of a malicious script. JamPlus is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.[1]
Adversaries may abuse the JamPlus build utility to execute malicious scripts via a .jam file, which describes the build process and required dependencies. Because the malicious script is executed from a reputable developer tool, it may subvert application control security systems such as Smart App Control.[2][3]
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
JamPlus may not be necessary within a given environment and should be removed if not used. |
| M1038 | Execution Prevention |
Consider blocking or restricting JamPlus if not required. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0585 | Behavior-chain detection strategy for T1127.003 Trusted Developer Utilities Proxy Execution: JamPlus (Windows) | AN1610 |
Abuse of JamPlus.exe to launch malicious payloads via crafted .jam files, resulting in abnormal process creation, command execution, or artifact generation outside of standard development workflows. |