Adversaries may use JamPlus to proxy the execution of a malicious script. JamPlus is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.[1]
Adversaries may abuse the JamPlus build utility to execute malicious scripts via a .jam file, which describes the build process and required dependencies. Because the malicious script is executed from a reputable developer tool, it may subvert application control security systems such as Smart App Control.[2][3]
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
JamPlus may not be necessary within a given environment and should be removed if not used. |
| M1038 | Execution Prevention |
Consider blocking or restricting JamPlus if not required. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0009 | Process | Process Creation |
Monitor for abnormal use of JamPlus, including the JamPlus Builder, that may be indicative of malicious use. |