Hide Navigation Hide TOC

JamPlus - T1127.003 (7d356151-a69d-404e-896b-71618952702a)

Adversaries may use JamPlus to proxy the execution of a malicious script. JamPlus is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.(Citation: JamPlus manual)

Adversaries may abuse the JamPlus build utility to execute malicious scripts via a .jam file, which describes the build process and required dependencies. Because the malicious script is executed from a reputable developer tool, it may subvert application control security systems such as Smart App Control.(Citation: Cyble)(Citation: Elastic Security Labs)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	JamPlus - T1127.003 (7d356151-a69d-404e-896b-71618952702a)	Attack Pattern	1