T1127.003 IBM QRadar · QRadar

Detect JamPlus in IBM QRadar

Adversaries may abuse the JamPlus build utility to proxy the execution of malicious scripts or binaries. JamPlus is a cross-platform build system that uses Jamfiles to describe build processes and dependencies. By embedding arbitrary shell commands within a specially crafted .jam file's Actions blocks, adversaries can execute payloads through a trusted developer tool. Because jam.exe carries a legitimate code-signing reputation, this technique is specifically used to bypass Smart App Control (SAC) and similar reputation-based application control mechanisms that would otherwise block unsigned or unknown executables.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1127 Trusted Developer Utilities Proxy Execution
Sub-technique
T1127.003 JamPlus
Canonical reference
https://attack.mitre.org/techniques/T1127/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username" AS user_account,
  "sourceip" AS host_ip,
  "FileName" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  "ParentCommandLine" AS parent_command_line,
  "CurrentDirectory" AS working_directory,
  CASE
    WHEN LOWER("ParentImage") LIKE '%\\jam.exe' OR LOWER("ParentImage") LIKE '%\\jamplus.exe' THEN
      CASE
        WHEN LOWER("FileName") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe',
                                    'mshta.exe','rundll32.exe','regsvr32.exe','certutil.exe',
                                    'bitsadmin.exe','msiexec.exe','wmic.exe','schtasks.exe',
                                    'net.exe','netsh.exe','whoami.exe','curl.exe') THEN 90
        ELSE 60
      END
    WHEN (LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe') AND
         LOWER("ParentImage") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','onenote.exe',
                                   'wscript.exe','cscript.exe','mshta.exe','explorer.exe',
                                   'powershell.exe','pwsh.exe','cmd.exe') THEN 85
    WHEN (LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe') AND
         (LOWER("CurrentDirectory") LIKE '%\\temp\\%' OR LOWER("CurrentDirectory") LIKE '%\\tmp\\%' OR
          LOWER("CurrentDirectory") LIKE '%\\downloads\\%' OR LOWER("CurrentDirectory") LIKE '%\\desktop\\%' OR
          LOWER("CurrentDirectory") LIKE '%\\public\\%' OR LOWER("CurrentDirectory") LIKE '%\\appdata\\local\\temp\\%') THEN 75
    WHEN (LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe') AND
         "CommandLine" LIKE '%-f %' AND
         (LOWER("CommandLine") LIKE '%\\temp\\%' OR LOWER("CommandLine") LIKE '%\\tmp\\%' OR
          LOWER("CommandLine") LIKE '%\\downloads\\%' OR LOWER("CommandLine") LIKE '%\\appdata\\%') THEN 70
    ELSE 60
  END AS risk_score,
  CASE
    WHEN LOWER("ParentImage") LIKE '%\\jam.exe' OR LOWER("ParentImage") LIKE '%\\jamplus.exe' THEN 'SuspiciousChildProcess'
    WHEN LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe' THEN
      CASE
        WHEN LOWER("ParentImage") IN ('winword.exe','excel.exe','powerpnt.exe') THEN 'SuspiciousParentProcess'
        WHEN LOWER("CommandLine") LIKE '%-f %' THEN 'SuspiciousJamfilePath'
        ELSE 'SuspiciousExecutionPath'
      END
    ELSE 'Unknown'
  END AS detection_branch
FROM events
WHERE
  LOGSOURCETYPEID = 13 /* Microsoft Windows Security Event Log */
  AND "EventID" = 4688
  AND starttime > NOW() - 1 DAYS
  AND (
    LOWER("FileName") LIKE '%\\jam.exe'
    OR LOWER("FileName") LIKE '%\\jamplus.exe'
    OR LOWER("ParentImage") LIKE '%\\jam.exe'
    OR LOWER("ParentImage") LIKE '%\\jamplus.exe'
  )
  AND (
    (LOWER("ParentImage") LIKE '%\\jam.exe' OR LOWER("ParentImage") LIKE '%\\jamplus.exe')
    AND LOWER("FileName") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe',
                               'mshta.exe','rundll32.exe','regsvr32.exe','certutil.exe',
                               'bitsadmin.exe','msiexec.exe','wmic.exe','schtasks.exe',
                               'net.exe','netsh.exe','whoami.exe','curl.exe')
    OR
    (LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe') AND
    LOWER("ParentImage") IN ('winword.exe','excel.exe','powerpnt.exe','outlook.exe','onenote.exe',
                              'wscript.exe','cscript.exe','mshta.exe','explorer.exe',
                              'powershell.exe','pwsh.exe','cmd.exe')
    OR
    (LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe') AND
    (LOWER("CurrentDirectory") LIKE '%\\temp\\%' OR LOWER("CurrentDirectory") LIKE '%\\tmp\\%' OR
     LOWER("CurrentDirectory") LIKE '%\\downloads\\%' OR LOWER("CurrentDirectory") LIKE '%\\desktop\\%' OR
     LOWER("CurrentDirectory") LIKE '%\\public\\%')
    OR
    (LOWER("FileName") LIKE '%\\jam.exe' OR LOWER("FileName") LIKE '%\\jamplus.exe') AND
    "CommandLine" LIKE '%-f %' AND
    (LOWER("CommandLine") LIKE '%\\temp\\%' OR LOWER("CommandLine") LIKE '%\\downloads\\%' OR
     LOWER("CommandLine") LIKE '%\\appdata\\%')
  )
ORDER BY starttime DESC
high severity medium confidence

Detects JamPlus (jam.exe/jamplus.exe) abuse for signed binary proxy execution using Windows Security Event ID 4688 (process creation with command line auditing enabled). Identifies four risk-scored branches: JamPlus spawning LOLBins as child processes (risk 90), JamPlus launched by Office/script interpreters (risk 85), JamPlus running from user-writable temp paths (risk 75), and JamPlus loading Jamfiles from suspicious paths via -f flag (risk 70).

Data Sources

Windows Security Event Log (EventID 4688 with process command line auditing)Sysmon Event ID 1 via Windows Event Forwarding

Required Tables

events

False Positives & Tuning

  • Game engine development teams using JamPlus as primary build system on workstations that also have Office installed
  • Embedded/IoT developers running JamPlus builds from downloaded SDK archives in Downloads folder
  • Automated test runners invoking JamPlus via PowerShell in CI runner environments with non-standard working directories
Download portable Sigma rule (.yml)

Other platforms for T1127.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1JamPlus Executes cmd.exe via Malicious Jamfile in TEMP

    Expected signal: Sysmon Event ID 1: Process Create for jam.exe with CommandLine containing '-f' and a path under %TEMP%. Sysmon Event ID 1: Child Process Create for cmd.exe with ParentImage matching jam.exe path. Sysmon Event ID 11: File Create for %TEMP%\jamtest-output.txt written by cmd.exe. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2JamPlus Executes PowerShell Download Cradle via Jamfile

    Expected signal: Sysmon Event ID 1: Process Create for jam.exe from %TEMP%. Sysmon Event ID 1: Child Process Create for powershell.exe with ParentImage=jam.exe and CommandLine containing 'Net.WebClient' and 'DownloadString'. Sysmon Event ID 3: Network connection attempt from powershell.exe to 127.0.0.1:8080 (fails — no listener but event fires). PowerShell ScriptBlock Log Event ID 4104 with the download cradle content.

  3. Test 3JamPlus Binary Staged in TEMP Directory (Suspicious Execution Path)

    Expected signal: Sysmon Event ID 11: File Create for %TEMP%\jam.exe (binary staging). Sysmon Event ID 1: Process Create for jam.exe with Image and FolderPath under %TEMP%. Sysmon Event ID 1: Child Process Create for cmd.exe with ParentImage=%TEMP%\jam.exe and CommandLine containing 'net user'.

  4. Test 4JamPlus Spawned by Scripting Engine (Simulated VBScript Dropper Delivery)

    Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with CommandLine referencing dropper.vbs. Sysmon Event ID 1: Process Create for jam.exe with ParentImage=wscript.exe — this is the primary detection event. Sysmon Event ID 1: Child Process Create for cmd.exe with ParentImage=jam.exe, completing the three-level process chain wscript.exe → jam.exe → cmd.exe.

Last updated: 2026-04-18 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1127.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1127Trusted Developer Utilities Proxy Execution

Related Sub-techniques

T1127.001MSBuildT1127.002ClickOnce

Related Techniques

T1127Trusted Developer Utilities Proxy ExecutionT1127.001MSBuildT1218System Binary Proxy ExecutionT1553Subvert Trust ControlsT1553.005Mark-of-the-Web BypassT1105Ingress Tool TransferT1059.003Windows Command ShellT1059.001PowerShellT1036.005Match Legitimate Resource Name or Location

Same Tactic: Defense Evasion

Popular Detections