Detect JamPlus in Elastic Security
Adversaries may abuse the JamPlus build utility to proxy the execution of malicious scripts or binaries. JamPlus is a cross-platform build system that uses Jamfiles to describe build processes and dependencies. By embedding arbitrary shell commands within a specially crafted .jam file's Actions blocks, adversaries can execute payloads through a trusted developer tool. Because jam.exe carries a legitimate code-signing reputation, this technique is specifically used to bypass Smart App Control (SAC) and similar reputation-based application control mechanisms that would otherwise block unsigned or unknown executables.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1127.003 JamPlus
- Canonical reference
- https://attack.mitre.org/techniques/T1127/003/
Elastic Detection Query
sequence by host.id with maxspan=5m
[process where event.type == "start" and
(process.name : ("jam.exe", "jamplus.exe") or process.parent.name : ("jam.exe", "jamplus.exe")) and
(
/* Branch 1: JamPlus spawning suspicious child processes */
(process.parent.name : ("jam.exe", "jamplus.exe") and
process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe",
"msiexec.exe", "wmic.exe", "net.exe", "netsh.exe", "sc.exe",
"schtasks.exe", "curl.exe", "wget.exe", "whoami.exe", "nltest.exe"))
or
/* Branch 2: JamPlus spawned by suspicious parents */
(process.name : ("jam.exe", "jamplus.exe") and
process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
"onenote.exe", "wscript.exe", "cscript.exe", "mshta.exe",
"explorer.exe", "powershell.exe", "pwsh.exe", "cmd.exe"))
or
/* Branch 3: JamPlus executing from suspicious paths */
(process.name : ("jam.exe", "jamplus.exe") and
process.executable : ("*\\temp\\*", "*\\tmp\\*", "*\\downloads\\*",
"*\\desktop\\*", "*\\public\\*", "*\\appdata\\local\\temp\\*"))
or
/* Branch 4: JamPlus loading Jamfile from suspicious path via -f flag */
(process.name : ("jam.exe", "jamplus.exe") and
process.args : "-f" and
process.command_line : ("* \\temp\\*", "* \\tmp\\*", "* \\downloads\\*",
"* \\desktop\\*", "* \\appdata\\*", "* \\public\\*"))
)
]Detects abuse of JamPlus build utility (jam.exe/jamplus.exe) to proxy execution of malicious payloads via trusted developer tooling. Covers four detection branches: suspicious child process spawning, suspicious parent launching JamPlus, JamPlus running from user-writable paths, and JamPlus loading Jamfiles from temp/user paths via the -f flag. Targets Smart App Control bypass via signed binary proxy execution.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software build pipelines using JamPlus installed in non-standard directories (contractor laptops, portable dev environments)
- Developers running jam.exe from Downloads folder after downloading JamPlus distribution archive
- Build automation running JamPlus via PowerShell or cmd.exe wrappers as part of legitimate CI/CD pipeline steps on developer workstations
Other platforms for T1127.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1JamPlus Executes cmd.exe via Malicious Jamfile in TEMP
Expected signal: Sysmon Event ID 1: Process Create for jam.exe with CommandLine containing '-f' and a path under %TEMP%. Sysmon Event ID 1: Child Process Create for cmd.exe with ParentImage matching jam.exe path. Sysmon Event ID 11: File Create for %TEMP%\jamtest-output.txt written by cmd.exe. Security Event ID 4688 if command line auditing is enabled.
- Test 2JamPlus Executes PowerShell Download Cradle via Jamfile
Expected signal: Sysmon Event ID 1: Process Create for jam.exe from %TEMP%. Sysmon Event ID 1: Child Process Create for powershell.exe with ParentImage=jam.exe and CommandLine containing 'Net.WebClient' and 'DownloadString'. Sysmon Event ID 3: Network connection attempt from powershell.exe to 127.0.0.1:8080 (fails — no listener but event fires). PowerShell ScriptBlock Log Event ID 4104 with the download cradle content.
- Test 3JamPlus Binary Staged in TEMP Directory (Suspicious Execution Path)
Expected signal: Sysmon Event ID 11: File Create for %TEMP%\jam.exe (binary staging). Sysmon Event ID 1: Process Create for jam.exe with Image and FolderPath under %TEMP%. Sysmon Event ID 1: Child Process Create for cmd.exe with ParentImage=%TEMP%\jam.exe and CommandLine containing 'net user'.
- Test 4JamPlus Spawned by Scripting Engine (Simulated VBScript Dropper Delivery)
Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with CommandLine referencing dropper.vbs. Sysmon Event ID 1: Process Create for jam.exe with ParentImage=wscript.exe — this is the primary detection event. Sysmon Event ID 1: Child Process Create for cmd.exe with ParentImage=jam.exe, completing the three-level process chain wscript.exe → jam.exe → cmd.exe.
References (8)
- https://attack.mitre.org/techniques/T1127/003/
- https://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/
- https://www.elastic.co/security-labs/dismantling-smart-app-control
- https://jamplus.github.io/jamplus/quick_start.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/smart-app-control/
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1127.003 including response playbook, investigation guide, and atomic red team tests.