T1127.003: JamPlus — MITRE ATT&CK Technique

Description

Adversaries may use JamPlus to proxy the execution of a malicious script. JamPlus is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.(Citation: JamPlus manual)

Adversaries may abuse the JamPlus build utility to execute malicious scripts via a .jam file, which describes the build process and required dependencies. Because the malicious script is executed from a reputable developer tool, it may subvert application control security systems such as Smart App Control.(Citation: Cyble)(Citation: Elastic Security Labs)

Platforms

Windows

Mitigations (2)

Execution PreventionM1038

Consider blocking or restricting JamPlus if not required.

Disable or Remove Feature or ProgramM1042

JamPlus may not be necessary within a given environment and should be removed if not used.

References

Frequently Asked Questions

What is T1127.003 (JamPlus)?

T1127.003 is a MITRE ATT&CK technique named 'JamPlus'. It belongs to the Stealth, Execution tactic(s). Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code and data build systems. It works with several popular compilers and can be used f...

How can T1127.003 be detected?

Detection of T1127.003 (JamPlus) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1127.003?

There are 2 documented mitigations for T1127.003. Key mitigations include: Execution Prevention, Disable or Remove Feature or Program.

Which threat groups use T1127.003?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.