T1127.003SubTechniquestealthexecution

T1127.003JamPlus

Sub-technique of T1127

Platforms: Windows

ATT&CK version: v19.1

What it is

Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.(Citation: JamPlus manual) Adversaries may abuse the `JamPlus` build utility to execute malicious scripts via a `.jam` file, which describes the build process and required dependencies. Because the malicious script is executed from a reputable developer tool, it may subvert application control security systems such as Smart App Control.(Citation: Cyble)(Citation: Elastic Security Labs)

ATT&CK tactics· 2

StealthExecution

References

  1. https://attack.mitre.org/techniques/T1127/003
  2. https://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/
  3. https://www.elastic.co/security-labs/dismantling-smart-app-control
  4. https://jamplus.github.io/jamplus/quick_start.html
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.