T1127.003

JamPlus

Adversaries may abuse the JamPlus build utility to proxy the execution of malicious scripts or binaries. JamPlus is a cross-platform build system that uses Jamfiles to describe build processes and dependencies. By embedding arbitrary shell commands within a specially crafted .jam file's Actions blocks, adversaries can execute payloads through a trusted developer tool. Because jam.exe carries a legitimate code-signing reputation, this technique is specifically used to bypass Smart App Control (SAC) and similar reputation-based application control mechanisms that would otherwise block unsigned or unknown executables.

Microsoft Sentinel / Defender

kusto

let SuspiciousChildProcesses = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe",
    "msiexec.exe", "wmic.exe", "net.exe", "netsh.exe", "sc.exe",
    "schtasks.exe", "curl.exe", "wget.exe", "ftp.exe", "whoami.exe",
    "net1.exe", "nltest.exe", "dsquery.exe"
]);
let SuspiciousParents = dynamic([
    "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe",
    "wscript.exe", "cscript.exe", "mshta.exe", "explorer.exe",
    "powershell.exe", "pwsh.exe", "cmd.exe"
]);
let SuspiciousPaths = dynamic([
    "\\temp\\", "\\tmp\\", "\\appdata\\local\\temp\\",
    "\\downloads\\", "\\desktop\\", "\\public\\", "\\users\\public\\"
]);
// Branch 1: JamPlus spawning suspicious child processes (RiskScore 90)
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "jam.exe" or InitiatingProcessFileName =~ "jamplus.exe"
| where FileName in~ (SuspiciousChildProcesses)
| extend RiskScore = 90
| extend DetectionBranch = "SuspiciousChildProcess"
| union (
    // Branch 2: JamPlus spawned by non-development parent processes (RiskScore 85)
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "jam.exe" or FileName =~ "jamplus.exe"
    | where InitiatingProcessFileName in~ (SuspiciousParents)
    | extend RiskScore = 85
    | extend DetectionBranch = "SuspiciousParentProcess"
)
| union (
    // Branch 3: JamPlus binary executing from user-writable or temp paths (RiskScore 75)
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "jam.exe" or FileName =~ "jamplus.exe"
    | where FolderPath has_any (SuspiciousPaths)
    | extend RiskScore = 75
    | extend DetectionBranch = "SuspiciousExecutionPath"
)
| union (
    // Branch 4: JamPlus loading a Jamfile from a suspicious path via -f flag (RiskScore 70)
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "jam.exe" or FileName =~ "jamplus.exe"
    | where ProcessCommandLine has "-f"
    | where ProcessCommandLine has_any (SuspiciousPaths)
    | extend RiskScore = 70
    | extend DetectionBranch = "SuspiciousJamfilePath"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine,
         RiskScore, DetectionBranch
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software development workflows where JamPlus is used as a primary build system and legitimately invokes cmd.exe or scripting engines as part of build steps — baseline known developer workstations and build servers
Automated CI/CD pipelines (Jenkins, TeamCity, Azure DevOps self-hosted agents) running JamPlus builds that may execute from agent working directories or invoke shell utilities
Developer IDEs or terminal emulators (such as Visual Studio Code or Windows Terminal, which appear as explorer.exe children) that invoke jam.exe for build tasks — explorer.exe parent is common for GUI-launched terminals

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval IsJamExe=if(match(Image, "(?i)(\\\\jam\.exe|\\\\jamplus\.exe)$"), 1, 0)
| eval IsJamParent=if(match(ParentImage, "(?i)(\\\\jam\.exe|\\\\jamplus\.exe)$"), 1, 0)
| where IsJamExe=1 OR IsJamParent=1
| eval SuspiciousChild=if(
    IsJamParent=1 AND match(Image, "(?i)(\\\\cmd\.exe|\\\\powershell\.exe|\\\\pwsh\.exe|\\\\wscript\.exe|\\\\cscript\.exe|\\\\mshta\.exe|\\\\rundll32\.exe|\\\\regsvr32\.exe|\\\\certutil\.exe|\\\\bitsadmin\.exe|\\\\msiexec\.exe|\\\\wmic\.exe|\\\\schtasks\.exe|\\\\net\.exe|\\\\netsh\.exe|\\\\whoami\.exe|\\\\curl\.exe)$"),
    1, 0)
| eval SuspiciousParent=if(
    IsJamExe=1 AND match(ParentImage, "(?i)(\\\\winword\.exe|\\\\excel\.exe|\\\\powerpnt\.exe|\\\\outlook\.exe|\\\\onenote\.exe|\\\\wscript\.exe|\\\\cscript\.exe|\\\\mshta\.exe|\\\\explorer\.exe|\\\\powershell\.exe|\\\\pwsh\.exe)$"),
    1, 0)
| eval SuspiciousPath=if(
    IsJamExe=1 AND match(lower(CurrentDirectory), "(\\\\temp\\\\|\\\\tmp\\\\|\\\\downloads\\\\|\\\\desktop\\\\|\\\\public\\\\|\\\\appdata\\\\local\\\\temp\\\\)"),
    1, 0)
| eval SuspiciousJamfile=if(
    IsJamExe=1 AND match(CommandLine, "(?i)-f\s") AND match(lower(CommandLine), "(\\\\temp\\\\|\\\\tmp\\\\|\\\\downloads\\\\|\\\\desktop\\\\|\\\\public\\\\|\\\\appdata\\\\)"),
    1, 0)
| where SuspiciousChild=1 OR SuspiciousParent=1 OR SuspiciousPath=1 OR SuspiciousJamfile=1
| eval RiskScore=case(
    SuspiciousChild=1, 90,
    SuspiciousParent=1, 85,
    SuspiciousPath=1, 75,
    SuspiciousJamfile=1, 70,
    true(), 60)
| eval DetectionBranch=case(
    SuspiciousChild=1, "SuspiciousChildProcess",
    SuspiciousParent=1, "SuspiciousParentProcess",
    SuspiciousPath=1, "SuspiciousExecutionPath",
    SuspiciousJamfile=1, "SuspiciousJamfilePath",
    true(), "Unknown")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, CurrentDirectory, SuspiciousChild, SuspiciousParent, SuspiciousPath, SuspiciousJamfile, RiskScore, DetectionBranch
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software development workflows where JamPlus is used as a primary build system and legitimately invokes cmd.exe or scripting engines as part of build steps — baseline known developer workstations and build servers
Automated CI/CD pipelines (Jenkins, TeamCity, Azure DevOps self-hosted agents) running JamPlus builds that may execute from agent working directories or invoke shell utilities
Developer IDEs or terminal emulators (such as Visual Studio Code or Windows Terminal, which appear as explorer.exe children) that invoke jam.exe for build tasks — explorer.exe parent is common for GUI-launched terminals

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   (process.name : ("jam.exe", "jamplus.exe") or process.parent.name : ("jam.exe", "jamplus.exe")) and
   (
     /* Branch 1: JamPlus spawning suspicious child processes */
     (process.parent.name : ("jam.exe", "jamplus.exe") and
      process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
                      "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe",
                      "msiexec.exe", "wmic.exe", "net.exe", "netsh.exe", "sc.exe",
                      "schtasks.exe", "curl.exe", "wget.exe", "whoami.exe", "nltest.exe"))
     or
     /* Branch 2: JamPlus spawned by suspicious parents */
     (process.name : ("jam.exe", "jamplus.exe") and
      process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
                             "onenote.exe", "wscript.exe", "cscript.exe", "mshta.exe",
                             "explorer.exe", "powershell.exe", "pwsh.exe", "cmd.exe"))
     or
     /* Branch 3: JamPlus executing from suspicious paths */
     (process.name : ("jam.exe", "jamplus.exe") and
      process.executable : ("*\\temp\\*", "*\\tmp\\*", "*\\downloads\\*",
                            "*\\desktop\\*", "*\\public\\*", "*\\appdata\\local\\temp\\*"))
     or
     /* Branch 4: JamPlus loading Jamfile from suspicious path via -f flag */
     (process.name : ("jam.exe", "jamplus.exe") and
      process.args : "-f" and
      process.command_line : ("* \\temp\\*", "* \\tmp\\*", "* \\downloads\\*",
                              "* \\desktop\\*", "* \\appdata\\*", "* \\public\\*"))
   )
  ]

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent with endpoint integration Sysmon via Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-*

False Positives

Legitimate software build pipelines using JamPlus installed in non-standard directories (contractor laptops, portable dev environments)
Developers running jam.exe from Downloads folder after downloading JamPlus distribution archive
Build automation running JamPlus via PowerShell or cmd.exe wrappers as part of legitimate CI/CD pipeline steps on developer workstations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username" AS user_account,
  "sourceip" AS host_ip,
  "FileName" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  "ParentCommandLine" AS parent_command_line,
  "CurrentDirectory" AS working_directory,
  CASE
    WHEN LOWER("ParentImage") LIKE '%\\jam.exe' OR LOWER("ParentImage") LIKE '%\\jamplus.exe' THEN
      CASE
        WHEN LOWER("FileName") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe',
                                    'mshta.exe','rundll32.exe','regsvr32.exe','certutil.exe',
                                    'bitsadmin.exe','msiexec.exe','wmic.exe','schtasks.exe',
                                    'net.exe','netsh.exe','whoami.exe','curl.exe') THEN 90
        ELSE 60
      END
    WHEN (LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe') AND
         LOWER("ParentImage") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','onenote.exe',
                                   'wscript.exe','cscript.exe','mshta.exe','explorer.exe',
                                   'powershell.exe','pwsh.exe','cmd.exe') THEN 85
    WHEN (LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe') AND
         (LOWER("CurrentDirectory") LIKE '%\\temp\\%' OR LOWER("CurrentDirectory") LIKE '%\\tmp\\%' OR
          LOWER("CurrentDirectory") LIKE '%\\downloads\\%' OR LOWER("CurrentDirectory") LIKE '%\\desktop\\%' OR
          LOWER("CurrentDirectory") LIKE '%\\public\\%' OR LOWER("CurrentDirectory") LIKE '%\\appdata\\local\\temp\\%') THEN 75
    WHEN (LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe') AND
         "CommandLine" LIKE '%-f %' AND
         (LOWER("CommandLine") LIKE '%\\temp\\%' OR LOWER("CommandLine") LIKE '%\\tmp\\%' OR
          LOWER("CommandLine") LIKE '%\\downloads\\%' OR LOWER("CommandLine") LIKE '%\\appdata\\%') THEN 70
    ELSE 60
  END AS risk_score,
  CASE
    WHEN LOWER("ParentImage") LIKE '%\\jam.exe' OR LOWER("ParentImage") LIKE '%\\jamplus.exe' THEN 'SuspiciousChildProcess'
    WHEN LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe' THEN
      CASE
        WHEN LOWER("ParentImage") IN ('winword.exe','excel.exe','powerpnt.exe') THEN 'SuspiciousParentProcess'
        WHEN LOWER("CommandLine") LIKE '%-f %' THEN 'SuspiciousJamfilePath'
        ELSE 'SuspiciousExecutionPath'
      END
    ELSE 'Unknown'
  END AS detection_branch
FROM events
WHERE
  LOGSOURCETYPEID = 13 /* Microsoft Windows Security Event Log */
  AND "EventID" = 4688
  AND starttime > NOW() - 1 DAYS
  AND (
    LOWER("FileName") LIKE '%\\jam.exe'
    OR LOWER("FileName") LIKE '%\\jamplus.exe'
    OR LOWER("ParentImage") LIKE '%\\jam.exe'
    OR LOWER("ParentImage") LIKE '%\\jamplus.exe'
  )
  AND (
    (LOWER("ParentImage") LIKE '%\\jam.exe' OR LOWER("ParentImage") LIKE '%\\jamplus.exe')
    AND LOWER("FileName") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe',
                               'mshta.exe','rundll32.exe','regsvr32.exe','certutil.exe',
                               'bitsadmin.exe','msiexec.exe','wmic.exe','schtasks.exe',
                               'net.exe','netsh.exe','whoami.exe','curl.exe')
    OR
    (LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe') AND
    LOWER("ParentImage") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','onenote.exe',
                              'wscript.exe','cscript.exe','mshta.exe','explorer.exe',
                              'powershell.exe','pwsh.exe','cmd.exe')
    OR
    (LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe') AND
    (LOWER("CurrentDirectory") LIKE '%\\temp\\%' OR LOWER("CurrentDirectory") LIKE '%\\tmp\\%' OR
     LOWER("CurrentDirectory") LIKE '%\\downloads\\%' OR LOWER("CurrentDirectory") LIKE '%\\desktop\\%' OR
     LOWER("CurrentDirectory") LIKE '%\\public\\%')
    OR
    (LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe') AND
    "CommandLine" LIKE '%-f %' AND
    (LOWER("CommandLine") LIKE '%\\temp\\%' OR LOWER("CommandLine") LIKE '%\\downloads\\%' OR
     LOWER("CommandLine") LIKE '%\\appdata\\%')
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Security Event Log (EventID 4688 with process command line auditing) Sysmon Event ID 1 via Windows Event Forwarding

Required Tables

events

False Positives

Game engine development teams using JamPlus as primary build system on workstations that also have Office installed
Embedded/IoT developers running JamPlus builds from downloaded SDK archives in Downloads folder
Automated test runners invoking JamPlus via PowerShell in CI runner environments with non-standard working directories

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| where EventID = "1" OR EventID = "4688"
/* Normalize field names across sourcetypes */
| if (EventID = "1", Image, NewProcessName) as process_image
| if (EventID = "1", ParentImage, ParentProcessName) as parent_image
| if (EventID = "1", CommandLine, CommandLine) as command_line
| if (EventID = "1", CurrentDirectory, "") as current_directory
| toLowerCase(process_image) as process_image_lower
| toLowerCase(parent_image) as parent_image_lower
| toLowerCase(command_line) as command_line_lower
| toLowerCase(current_directory) as current_dir_lower
/* Identify JamPlus involvement */
| where process_image_lower matches /.*\\(jam|jamplus)\.exe$/ OR parent_image_lower matches /.*\\(jam|jamplus)\.exe$/
/* Branch evaluation */
| if (parent_image_lower matches /.*\\(jam|jamplus)\.exe$/ AND process_image_lower matches /.*\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|wmic|schtasks|net|netsh|whoami|curl)\.exe$/, 1, 0) as suspicious_child
| if (process_image_lower matches /.*\\(jam|jamplus)\.exe$/ AND parent_image_lower matches /.*\\(winword|excel|powerpnt|outlook|onenote|wscript|cscript|mshta|explorer|powershell|pwsh|cmd)\.exe$/, 1, 0) as suspicious_parent
| if (process_image_lower matches /.*\\(jam|jamplus)\.exe$/ AND (current_dir_lower matches /.*\\(temp|tmp|downloads|desktop|public)\\.*/ OR current_dir_lower matches /.*\\appdata\\local\\temp\\.*/), 1, 0) as suspicious_path
| if (process_image_lower matches /.*\\(jam|jamplus)\.exe$/ AND command_line_lower matches /.*-f .*/ AND (command_line_lower matches /.*\\(temp|tmp|downloads|desktop|appdata)\\.*/ ), 1, 0) as suspicious_jamfile
/* Only keep events matching at least one branch */
| where suspicious_child = 1 OR suspicious_parent = 1 OR suspicious_path = 1 OR suspicious_jamfile = 1
/* Assign risk score (first match wins) */
| if (suspicious_child = 1, 90, if (suspicious_parent = 1, 85, if (suspicious_path = 1, 75, if (suspicious_jamfile = 1, 70, 60)))) as risk_score
| if (suspicious_child = 1, "SuspiciousChildProcess", if (suspicious_parent = 1, "SuspiciousParentProcess", if (suspicious_path = 1, "SuspiciousExecutionPath", if (suspicious_jamfile = 1, "SuspiciousJamfilePath", "Unknown")))) as detection_branch
| fields _messageTime, Computer, User, process_image, command_line, parent_image, current_directory, suspicious_child, suspicious_parent, suspicious_path, suspicious_jamfile, risk_score, detection_branch
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sysmon via Sumo Logic collector (EventID 1) Windows Security Event Log via Sumo Logic collector (EventID 4688)

Required Tables

windows/sysmon windows/security

False Positives

DevOps engineers running JamPlus from PowerShell terminals for cross-platform build testing
Security researchers testing JamPlus behavior in sandboxed environments with temp-based working directories
Game studio build automation invoking JamPlus from explorers or Office macros during asset pipeline generation

Google Chronicle / SecOps

yaral

rule jamplus_proxy_execution_t1127_003 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects JamPlus (jam.exe/jamplus.exe) abuse for signed binary proxy execution (T1127.003). Covers suspicious child processes, suspicious parent processes, execution from user-writable paths, and loading Jamfiles from suspicious locations via -f flag."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1127.003"
    reference = "https://attack.mitre.org/techniques/T1127/003/"
    version = "1.0"
    created = "2026-04-18"

  events:
    (
      /* Branch 1: JamPlus spawning suspicious child processes */
      (
        $e1.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e1.principal.process.file.full_path, `(?i)(\\jam\.exe|\\jamplus\.exe)$`)
        and re.regex($e1.target.process.file.full_path, `(?i)(\\cmd\.exe|\\powershell\.exe|\\pwsh\.exe|\\wscript\.exe|\\cscript\.exe|\\mshta\.exe|\\rundll32\.exe|\\regsvr32\.exe|\\certutil\.exe|\\bitsadmin\.exe|\\msiexec\.exe|\\wmic\.exe|\\schtasks\.exe|\\net\.exe|\\netsh\.exe|\\whoami\.exe|\\curl\.exe|\\nltest\.exe)$`)
      )
      or
      /* Branch 2: JamPlus launched by suspicious parent processes */
      (
        $e1.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e1.target.process.file.full_path, `(?i)(\\jam\.exe|\\jamplus\.exe)$`)
        and re.regex($e1.principal.process.file.full_path, `(?i)(\\winword\.exe|\\excel\.exe|\\powerpnt\.exe|\\outlook\.exe|\\onenote\.exe|\\wscript\.exe|\\cscript\.exe|\\mshta\.exe|\\explorer\.exe|\\powershell\.exe|\\pwsh\.exe|\\cmd\.exe)$`)
      )
      or
      /* Branch 3: JamPlus executing from user-writable/temp paths */
      (
        $e1.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e1.target.process.file.full_path, `(?i)(\\jam\.exe|\\jamplus\.exe)$`)
        and re.regex($e1.target.process.file.full_path, `(?i)(\\temp\\|\\tmp\\|\\downloads\\|\\desktop\\|\\public\\|appdata\\local\\temp\\)`)
      )
      or
      /* Branch 4: JamPlus loading Jamfile from suspicious path via -f flag */
      (
        $e1.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e1.target.process.file.full_path, `(?i)(\\jam\.exe|\\jamplus\.exe)$`)
        and re.regex($e1.target.process.command_line, `(?i)-f\s`)
        and re.regex($e1.target.process.command_line, `(?i)(\\temp\\|\\tmp\\|\\downloads\\|\\desktop\\|\\appdata\\|\\public\\)`)
      )
    )

  condition:
    $e1

high severity high confidence

Data Sources

Google Chronicle UDM Windows endpoint telemetry via Chronicle forwarder Sysmon via Chronicle ingestion pipeline

Required Tables

process_launch UDM events

False Positives

Legitimate cross-platform build systems using JamPlus in portable developer environments stored in user Downloads folders
Automated asset pipeline tooling in game development studios launching JamPlus from Office macro-driven scripts
Build scripts invoking JamPlus from PowerShell as part of developer onboarding automation installed to APPDATA

CrowdStrike LogScale (CQL)

cql

// T1127.003 - JamPlus Signed Binary Proxy Execution Detection
// Covers 4 detection branches with risk scoring

#event_simpleName = ProcessRollup2
| FileName =~ regex("(?i)^(jam|jamplus)\.exe$") OR ParentBaseFileName =~ regex("(?i)^(jam|jamplus)\.exe$")

// Branch 1: JamPlus spawning suspicious LOLBin child processes (RiskScore 90)
| SuspiciousChild := if(
    ParentBaseFileName =~ regex("(?i)^(jam|jamplus)\.exe$") AND
    FileName =~ regex("(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|wmic|schtasks|net|netsh|whoami|curl|nltest|dsquery|net1)\.exe$"),
    "true", "false")

// Branch 2: JamPlus spawned by suspicious parent process (RiskScore 85)
| SuspiciousParent := if(
    FileName =~ regex("(?i)^(jam|jamplus)\.exe$") AND
    ParentBaseFileName =~ regex("(?i)^(winword|excel|powerpnt|outlook|onenote|wscript|cscript|mshta|explorer|powershell|pwsh|cmd)\.exe$"),
    "true", "false")

// Branch 3: JamPlus running from user-writable temp/staging paths (RiskScore 75)
| SuspiciousPath := if(
    FileName =~ regex("(?i)^(jam|jamplus)\.exe$") AND
    ImageFileName =~ regex("(?i)(\\\\temp\\\\|\\\\tmp\\\\|\\\\downloads\\\\|\\\\desktop\\\\|\\\\public\\\\|appdata\\\\local\\\\temp\\\\)"),
    "true", "false")

// Branch 4: JamPlus loading Jamfile from suspicious path via -f flag (RiskScore 70)
| SuspiciousJamfile := if(
    FileName =~ regex("(?i)^(jam|jamplus)\.exe$") AND
    CommandLine =~ regex("(?i)-f\\s") AND
    CommandLine =~ regex("(?i)(\\\\temp\\\\|\\\\tmp\\\\|\\\\downloads\\\\|\\\\desktop\\\\|\\\\appdata\\\\|\\\\public\\\\)"),
    "true", "false")

// Only retain events matching at least one branch
| SuspiciousChild = "true" OR SuspiciousParent = "true" OR SuspiciousPath = "true" OR SuspiciousJamfile = "true"

// Assign risk score
| RiskScore := if(SuspiciousChild = "true", "90",
    if(SuspiciousParent = "true", "85",
    if(SuspiciousPath = "true", "75",
    if(SuspiciousJamfile = "true", "70", "60"))))

// Assign detection branch label
| DetectionBranch := if(SuspiciousChild = "true", "SuspiciousChildProcess",
    if(SuspiciousParent = "true", "SuspiciousParentProcess",
    if(SuspiciousPath = "true", "SuspiciousExecutionPath",
    if(SuspiciousJamfile = "true", "SuspiciousJamfilePath", "Unknown"))))

| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName,
         ParentCommandLine, ImageFileName, SuspiciousChild, SuspiciousParent,
         SuspiciousPath, SuspiciousJamfile, RiskScore, DetectionBranch])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 telemetry

Required Tables

ProcessRollup2

False Positives

Embedded systems developers using JamPlus as the primary build tool on endpoints also running Office applications, triggering parent-child false positives when builds are launched from IDE macros
QA automation frameworks that download and execute JamPlus from temporary directories as part of cross-platform test harness setup
Game engine CI on developer machines where JamPlus assets pipeline is invoked from PowerShell scripts with working directories in APPDATA or user profile subfolders

Last updated: 2026-04-18 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1127.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

JamPlus

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections