DET0585 Behavior-chain detection strategy for T1127.003 Trusted Developer Utilities Proxy Execution: JamPlus (Windows)

Item	Value
ID	DET0585
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1127.003 (JamPlus)

Analytics

Windows

AN1610

Abuse of JamPlus.exe to launch malicious payloads via crafted .jam files, resulting in abnormal process creation, command execution, or artifact generation outside of standard development workflows.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
Process Metadata (DC0034)	WinEventLog:Microsoft-Windows-CodeIntegrity/Operational	Unsigned or untrusted modules loaded during JamPlus.exe runtime

Mutable Elements

Field	Description
TimeWindow	Correlation time window (e.g., 0–30 minutes) for JamPlus.exe execution, child processes, and file/network events.
AllowedBuildHosts	Known developer systems where JamPlus.exe usage is expected; alerts are raised if executed elsewhere.
SuspiciousChildList	Child processes considered anomalous (e.g., PowerShell, cmd, wscript) when spawned by JamPlus.exe.
RarePathRegex	Regex patterns for non-standard or user-writable paths where JamPlus.exe drops artifacts.