AN1610: Analytic 1610
Abuse of JamPlus.exe to launch malicious payloads via crafted .jam files, resulting in abnormal process creation, command execution, or artifact generation outside of standard development workflows.
Analyst context for executives and security teams
This analytic highlights a Windows detection concern around JamPlus.exe being used outside normal development activity to run payloads through crafted .jam files. For leaders, the value is not in the tool name alone, but in validating whether developer tooling can become an unmonitored execution path that bypasses assumptions in endpoint, SOC, and incident response coverage.
Executive priority
Prioritize this where JamPlus or similar build/development tooling exists on Windows systems, especially on developer workstations or build environments. The business question is whether trusted development utilities are governed, logged, and explainable enough to distinguish legitimate build workflows from abnormal process creation, command execution, or unexpected artifact generation. This can support operational resilience, incident triage readiness, and audit evidence around software development environment monitoring.
Technical view
SOC and detection teams should baseline legitimate JamPlus.exe usage on Windows and review whether process creation, command-line, parent-child process, file artifact, and working-directory evidence is available. Because ATT&CK provides no official detection logic or relationships for this analytic, teams should avoid assuming a fixed signature and instead validate deviations from standard development workflows, such as unusual parents, unexpected child processes, suspicious command execution patterns, or generated artifacts in locations not normally associated with builds.
Likely telemetry
- Windows process creation events including executable path, command line, parent process, user, and working directory
- Endpoint detection and response telemetry for JamPlus.exe process trees and child process execution
- File creation or modification telemetry for .jam files and generated artifacts
- Developer workstation and build system inventory showing where JamPlus.exe is expected to exist
- User and host context to distinguish normal development activity from unusual execution
Detection direction
- Establish an allowlist or baseline of expected JamPlus.exe locations, users, parent processes, working directories, and build-related child processes.
- Alert on JamPlus.exe activity that launches abnormal child processes or command execution outside documented development workflows.
- Review file artifact generation associated with .jam execution, especially when output locations or file types are inconsistent with normal builds.
- Tune carefully for developer and CI/build environments, where legitimate JamPlus activity may be frequent and false positives are likely without workflow context.
- Account for the ATT&CK limitation that no official detection logic, tactic mapping, or relationship context was supplied for this analytic.
Mitigation priorities
- Inventory Windows systems where JamPlus.exe is installed or expected, with special attention to developer endpoints and build infrastructure.
- Restrict use of development tools to approved systems and users where operationally feasible.
- Ensure endpoint and logging controls capture process creation, command-line, and file artifact telemetry for development tooling.
- Document normal JamPlus workflows so SOC and IR teams can triage deviations quickly.
- Use incident response playbooks to validate whether abnormal JamPlus.exe execution is tied to legitimate build activity or requires containment.
Analyst notes and limits
This object is a detection analytic, not a technique or campaign report. The supplied ATT&CK fields describe abuse of JamPlus.exe through crafted .jam files on Windows, resulting in abnormal process creation, command execution, or artifact generation outside standard development workflows. No tactics, aliases, labels, detection text, or relationship context were supplied.
Assessment is limited to the official STIX fields and the single MITRE external reference. There is no supplied evidence of active exploitation, attribution, prevalence, impact, or guaranteed detection coverage. Local environment baselining is required to determine relevance and detection quality.
Analytic 1610
Abuse of JamPlus.exe to launch malicious payloads via crafted .jam files, resulting in abnormal process creation, command execution, or artifact generation outside of standard development workflows.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 72073b15acd6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1610Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.