T1127.003: JamPlus
Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.[1]
Adversaries may abuse the `JamPlus` build utility to execute malicious scripts via a `.jam` file, which describes the build process and required dependencies. Because the malicious script is executed from a reputable developer tool, it may subvert application control security systems such as Smart App Control.[2][3]
Analyst context for executives and security teams
JamPlus matters because it is a legitimate Windows developer build utility that can be used to run instructions from a .jam build file. For business leaders, the risk is not the tool by itself; it is that trusted development utilities can become execution paths that bypass assumptions in application control programs, especially where developer tools are broadly allowed.
Executive priority
Prioritize this as an application-control and software-governance validation issue. Leaders should ask whether JamPlus is actually required in the environment, where it is installed, who is allowed to run it, and whether security controls distinguish approved build activity from suspicious script execution through a trusted utility. This is relevant to audit evidence for execution prevention, SOC readiness, and incident response triage on Windows systems.
Technical view
This is a Windows sub-technique under Trusted Developer Utilities Proxy Execution with execution and stealth relevance. SOC and detection engineering teams should validate whether JamPlus execution is visible, whether command lines and child processes are captured, and whether .jam file usage can be correlated with unusual parent processes, user context, paths, or downstream script/process execution. Because ATT&CK provides no official detection text for this object, the related DET0585 behavior-chain strategy should be treated as a direction to build correlation rather than relying on a single executable-name alert.
Likely telemetry
- Windows process creation events including JamPlus process name, command line, parent process, child processes, user, host, and working directory
- File activity involving .jam files, especially creation, modification, or execution from user-writable or unusual locations
- Application control, Smart App Control, WDAC, AppLocker, or equivalent allow/block/audit events where available
- Developer tool inventory and software installation records showing whether JamPlus is expected on a host
- Endpoint detection telemetry linking JamPlus execution to scripts, compilers, shells, or other follow-on processes
Detection direction
- Inventory legitimate JamPlus use first; developer and build systems can create false positives if alerts are based only on the presence of the tool.
- Tune for behavior chains: unexpected JamPlus execution, unusual .jam file locations, suspicious parent processes, non-developer users, or unexpected child process activity.
- Validate that endpoint logging captures full command line and process ancestry; without this, proxy execution through a trusted utility may appear benign.
- Compare activity against known build hosts and approved development workflows to identify out-of-pattern use.
- Use the related DET0585 strategy as supporting context, while recognizing that ATT&CK did not provide native detection logic in the technique object.
Mitigation priorities
- Remove or disable JamPlus where it is not required, consistent with M1042 Disable or Remove Feature or Program.
- Restrict JamPlus execution to approved developer or build systems rather than treating it as broadly trusted software.
- Use execution prevention controls such as application control and script blocking, consistent with M1038, but validate that policies account for trusted developer utilities being used as execution proxies.
- Maintain software inventory and exception ownership so application-control allow rules are tied to business need.
- Review controls after changes to developer tooling, because trusted build utilities can create blind spots if allowlisted without behavioral monitoring.
Analyst notes and limits
The key defensive question is whether JamPlus is a known, governed tool in the local environment. If it is expected, detection should focus on abnormal use and behavior chains. If it is not expected, its presence or execution may warrant investigation as an unauthorized developer utility capable of proxying script execution.
The supplied ATT&CK object has no official detection text and only identifies Windows as the platform. This take is limited to the official description, external references, and relationships provided; local software inventory, endpoint telemetry, and application-control policy data are required to determine actual exposure or coverage.
JamPlus
Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.[1]
Adversaries may abuse the `JamPlus` build utility to execute malicious scripts via a `.jam` file, which describes the build process and required dependencies. Because the malicious script is executed from a reputable developer tool, it may subvert application control security systems such as Smart App Control.[2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1127 | Trusted Developer Utilities Proxy Execution | This object subtechnique of Trusted Developer Utilities Proxy Execution. |
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 65c5f4f8caed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
JamPlus manual
Perforce Software, Inc.. (n.d.). JamPlus manual: Quick Start Guide. Retrieved March 21, 2025.
Open source URL -
[2]
Cyble
Cyble. (2024, September 9). Reputation Hijacking with JamPlus: A Maneuver to Bypass Smart App Control (SAC). Retrieved March 21, 2025.
Open source URL -
[3]
Elastic Security Labs
Joe Desimone. (2024, August 5). Dismantling Smart App Control. Retrieved March 21, 2025.
Open source URL -
[4]
mitre-attack T1127.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.