T1127.003 JamPlus
Adversaries may use JamPlus to proxy the execution of a malicious script. JamPlus is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.3
Adversaries may abuse the JamPlus build utility to execute malicious scripts via a .jam file, which describes the build process and required dependencies. Because the malicious script is executed from a reputable developer tool, it may subvert application control security systems such as Smart App Control.12
| Item | Value |
|---|---|
| ID | T1127.003 |
| Sub-techniques | T1127.001, T1127.002, T1127.003 |
| Tactics | TA0005 |
| Platforms | Windows |
| Version | 1.0 |
| Created | 21 March 2025 |
| Last Modified | 17 April 2025 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program | JamPlus may not be necessary within a given environment and should be removed if not used. |
| M1038 | Execution Prevention | Consider blocking or restricting JamPlus if not required. |
References
-
Cyble. (2024, September 9). Reputation Hijacking with JamPlus: A Maneuver to Bypass Smart App Control (SAC). Retrieved March 21, 2025. ↩
-
Joe Desimone. (2024, August 5). Dismantling Smart App Control. Retrieved March 21, 2025. ↩
-
Perforce Software, Inc.. (n.d.). JamPlus manual: Quick Start Guide. Retrieved March 21, 2025. ↩