TIARAS - T1127.003: JamPlus

MITRE ATT&CK Technique

Defense Evasion T1127.003

Description

Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.(Citation: JamPlus manual) Adversaries may abuse the `JamPlus` build utility to execute malicious scripts via a `.jam` file, which describes the build process and required dependencies. Because the malicious script is executed from a reputable developer tool, it may subvert application control security systems such as Smart App Control.(Citation: Cyble)(Citation: Elastic Security Labs)

Supported Platforms

Windows

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2025-03-21T13:36:48.710Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may use `JamPlus` to proxy the execution of a '
                'malicious script. `JamPlus` is a build utility tool for code '
                'and data build systems. It works with several popular '
                'compilers and can be used for generating workspaces in code '
                'editors such as Visual Studio.(Citation: JamPlus manual)\n'
                '\n'
                'Adversaries may abuse the `JamPlus` build utility to execute '
                'malicious scripts via a `.jam` file, which describes the '
                'build process and required dependencies. Because the '
                'malicious script is executed from a reputable developer tool, '
                'it may subvert application control security systems such as '
                'Smart App Control.(Citation: Cyble)(Citation: Elastic '
                'Security Labs)',
 'external_references': [{'external_id': 'T1127.003',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1127/003'},
                         {'description': 'Cyble. (2024, September 9). '
                                         'Reputation Hijacking with JamPlus: A '
                                         'Maneuver to Bypass Smart App Control '
                                         '(SAC). Retrieved March 21, 2025.',
                          'source_name': 'Cyble',
                          'url': 'https://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/'},
                         {'description': 'Joe Desimone. (2024, August 5). '
                                         'Dismantling Smart App Control. '
                                         'Retrieved March 21, 2025.',
                          'source_name': 'Elastic Security Labs',
                          'url': 'https://www.elastic.co/security-labs/dismantling-smart-app-control'},
                         {'description': 'Perforce Software, Inc.. (n.d.). '
                                         'JamPlus manual: Quick Start Guide. '
                                         'Retrieved March 21, 2025.',
                          'source_name': 'JamPlus manual',
                          'url': 'https://jamplus.github.io/jamplus/quick_start.html'}],
 'id': 'attack-pattern--7d356151-a69d-404e-896b-71618952702a',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-04-17T21:42:31.066Z',
 'name': 'JamPlus',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '1.0'}

Quick Actions

Edit TTP Update from Web

Back to TTPs

Dashboard About