title: JamPlus (T1127.003)
id: df00tech-t1127-003
status: experimental
description: "Adversaries may abuse the JamPlus build utility to proxy the execution of malicious scripts or binaries. JamPlus is a cross-platform build system that uses Jamfiles to describe build processes and dependencies. By embedding arbitrary shell commands within a specially crafted .jam file's Actions blocks, adversaries can execute payloads through a trusted developer tool. Because jam.exe carries a legitimate code-signing reputation, this technique is specifically used to bypass Smart App Control (SAC) and similar reputation-based application control mechanisms that would otherwise block unsigned or unknown executables."
references:
  - https://attack.mitre.org/techniques/T1127/003/
  - https://df00tech.com/detections/T1127.003
author: df00tech
date: 2026/04/18
tags:
  - attack.t1127.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software development workflows where JamPlus is used as a primary build system and legitimately invokes cmd.exe or scripting engines as part of build steps — baseline known developer workstations and build servers
  - "Automated CI/CD pipelines (Jenkins, TeamCity, Azure DevOps self-hosted agents) running JamPlus builds that may execute from agent working directories or invoke shell utilities"
  - "Developer IDEs or terminal emulators (such as Visual Studio Code or Windows Terminal, which appear as explorer.exe children) that invoke jam.exe for build tasks — explorer.exe parent is common for GUI-launched terminals"
level: high