T1497.003 Time Based Checks Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let TimingAPIs = dynamic(["GetTickCount", "GetSystemTimeAsFileTime", "QueryPerformanceCounter", "NtQuerySystemTime", "timeGetTime", "GetSystemTime"]);
let SleepCommands = dynamic(["Start-Sleep", "timeout /t", "ping -n", "WScript.Sleep", "Thread.Sleep", "kernel32!Sleep", "sleep("]);
let UptimeChecks = dynamic(["systeminfo | find \"Boot Time\"", "net statistics", "wmic os get lastbootuptime", "GetTickCount64"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (TimingAPIs)
    or (ProcessCommandLine has_any (SleepCommands) and InitiatingProcessFileName !in~ ("svchost.exe", "explorer.exe", "taskhostw.exe"))
    or ProcessCommandLine has_any (UptimeChecks)
    or (FileName =~ "timeout.exe" and ProcessCommandLine matches regex @"timeout\s+/t\s+\d{3,}")
    or (FileName =~ "ping.exe" and ProcessCommandLine matches regex @"ping\s+-n\s+\d{3,}\s+127\.0\.0\.1")
| extend TimingAPICheck = ProcessCommandLine has_any (TimingAPIs)
| extend LongSleep = (FileName =~ "timeout.exe" and ProcessCommandLine matches regex @"\d{3,}")
    or (FileName =~ "ping.exe" and ProcessCommandLine has "127.0.0.1" and ProcessCommandLine matches regex @"-n\s+\d{3,}")
| extend SleepCommand = ProcessCommandLine has_any ("Start-Sleep", "WScript.Sleep", "Thread.Sleep")
| extend UptimeQuery = ProcessCommandLine has_any ("lastbootuptime", "Boot Time", "net statistics")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         TimingAPICheck, LongSleep, SleepCommand, UptimeQuery
| sort by Timestamp desc

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Process: OS API Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Batch scripts using timeout or ping for legitimate delays between operations
PowerShell scripts with Start-Sleep for pacing API calls to avoid rate limiting
System monitoring tools that check uptime as part of health reporting
Application installers that pause between installation phases

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval TimingAPICheck=if(match(CommandLine, "(gettickcount|getsystemtimeasfiletime|queryperformancecounter|ntquerysystemtime|timegettime)"), 1, 0)
| eval LongTimeout=if(match(Image, "(?i)timeout\.exe") AND match(CommandLine, "timeout\s+/t\s+\d{3,}"), 1, 0)
| eval LongPingSleep=if(match(Image, "(?i)ping\.exe") AND match(CommandLine, "ping\s+-n\s+\d{3,}\s+127\.0\.0\.1"), 1, 0)
| eval ScriptSleep=if(match(CommandLine, "(start-sleep|wscript\.sleep|thread\.sleep)"), 1, 0)
| eval UptimeQuery=if(match(CommandLine, "(lastbootuptime|boot time|net statistics)"), 1, 0)
| eval SuspicionScore=TimingAPICheck*2 + LongTimeout*2 + LongPingSleep*2 + ScriptSleep + UptimeQuery
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TimingAPICheck, LongTimeout, LongPingSleep, ScriptSleep, UptimeQuery, SuspicionScore
| sort - _time

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Batch scripts with legitimate timeout/ping delays
PowerShell scripts using Start-Sleep for API rate limiting
System monitoring tools checking uptime
Application installers pausing between phases

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  process.command_line : ("*GetTickCount*", "*GetSystemTimeAsFileTime*", "*QueryPerformanceCounter*", "*NtQuerySystemTime*", "*timeGetTime*", "*GetSystemTime*") or
  (
    process.name : "timeout.exe" and
    process.command_line regex~ "timeout\\s+/t\\s+[0-9]{3,}"
  ) or
  (
    process.name : "ping.exe" and
    process.command_line regex~ "-n\\s+[0-9]{3,}\\s+127\\.0\\.0\\.1"
  ) or
  (
    process.command_line : ("*Start-Sleep*", "*WScript.Sleep*", "*Thread.Sleep*") and
    not process.parent.name : ("svchost.exe", "explorer.exe", "taskhostw.exe")
  ) or
  process.command_line : ("*lastbootuptime*", "*Boot Time*", "*net statistics*")
)

medium severity medium confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon module Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-*

False Positives

Legitimate automation and CI/CD scripts using Start-Sleep for polling intervals between retries or service readiness checks
System administrators running 'net statistics server' or querying lastbootuptime for uptime reporting and SLA verification
Network engineers using high ping repeat counts (ping -n 500 127.0.0.1) as a delay mechanism during network configuration scripts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  "ParentCommandLine" AS parent_command_line,
  CASE
    WHEN "CommandLine" MATCHES '(?i).*(gettickcount|getsystemtimeasfiletime|queryperformancecounter|ntquerysystemtime|timegettime|getsystemtime).*' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Image" MATCHES '(?i).*\\timeout\.exe$' AND "CommandLine" MATCHES '(?i).*\/t\s+\d{3,}.*' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Image" MATCHES '(?i).*\\ping\.exe$' AND "CommandLine" MATCHES '.*-n\s+\d{3,}\s+127\.0\.0\.1.*' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "CommandLine" MATCHES '(?i).*(start-sleep|wscript\.sleep|thread\.sleep).*' THEN 1
    ELSE 0
  END +
  CASE
    WHEN "CommandLine" MATCHES '(?i).*(lastbootuptime|boot time|net statistics).*' THEN 1
    ELSE 0
  END AS suspicion_score
FROM events
WHERE
  starttime > NOW() - 86400
  AND (
    "CommandLine" MATCHES '(?i).*(gettickcount|getsystemtimeasfiletime|queryperformancecounter|ntquerysystemtime|timegettime|getsystemtime).*'
    OR ("Image" MATCHES '(?i).*\\timeout\.exe$' AND "CommandLine" IMATCHES '%/t %')
    OR ("Image" MATCHES '(?i).*\\ping\.exe$' AND "CommandLine" IMATCHES '%-n % 127.0.0.1%')
    OR "CommandLine" MATCHES '(?i).*(start-sleep|wscript\.sleep|thread\.sleep).*'
    OR "CommandLine" MATCHES '(?i).*(lastbootuptime|boot time|net statistics).*'
  )
HAVING suspicion_score > 0
ORDER BY starttime DESC
LAST 24 HOURS

medium severity medium confidence

Data Sources

Windows Sysmon via QRadar Sysmon DSM (EventID 1) Windows Security Event Log (EventID 4688) with process command-line auditing enabled

Required Tables

events

False Positives

Administrative PowerShell scripts querying net statistics server or net statistics workstation for uptime dashboards
Software deployment tools (SCCM, PDQ Deploy) using timeout.exe or ping-based delays between installation phases
Developers referencing QueryPerformanceCounter or GetTickCount in build pipeline or profiling scripts

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| parse regex "(?i)<Data Name='EventID'>(?<event_id>\d+)</Data>" nodrop
| parse regex "(?i)<Data Name='CommandLine'>(?<command_line>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='Image'>(?<image>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='ParentImage'>(?<parent_image>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='User'>(?<user>[^<]+)</Data>" nodrop
| where event_id = "1"
| eval timing_api = if(command_line matches /(?i)(gettickcount|getsystemtimeasfiletime|queryperformancecounter|ntquerysystemtime|timegettime|getsystemtime)/, 1, 0)
| eval long_timeout = if(image matches /(?i)\\timeout\.exe$/ AND command_line matches /\/t\s+\d{3,}/, 1, 0)
| eval long_ping_sleep = if(image matches /(?i)\\ping\.exe$/ AND command_line matches /-n\s+\d{3,}\s+127\.0\.0\.1/, 1, 0)
| eval script_sleep = if(command_line matches /(?i)(start-sleep|wscript\.sleep|thread\.sleep)/, 1, 0)
| eval uptime_query = if(command_line matches /(?i)(lastbootuptime|boot time|net statistics)/, 1, 0)
| eval suspicion_score = (timing_api * 2) + (long_timeout * 2) + (long_ping_sleep * 2) + script_sleep + uptime_query
| where suspicion_score > 0
| fields _messagetime, _sourcehost, user, image, command_line, parent_image, timing_api, long_timeout, long_ping_sleep, script_sleep, uptime_query, suspicion_score
| sort by _messagetime desc

medium severity medium confidence

Data Sources

Windows Sysmon EventID 1 (Process Create) via Sumo Logic Installed Collector Windows Event Log via Sumo Logic Windows Event Log Source

Required Tables

_sourceCategory=*sysmon* _sourceCategory=*windows*

False Positives

Help desk runbooks querying lastbootuptime to diagnose boot-related issues submitted through ticketing automation
Monitoring agents (Zabbix, Nagios NRPE) executing net statistics to collect uptime metrics on scheduled intervals
PowerShell-based health check scripts in containerized or VM environments using Start-Sleep between readiness probe attempts

Google Chronicle / SecOps

yaral

rule t1497_003_time_based_evasion {
  meta:
    author = "Detection Engineering"
    description = "Detects T1497.003 time-based sandbox evasion: timing API calls, long sleep delays via timeout/ping, scripting sleep functions, and system uptime enumeration"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1497.003"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1497/003/"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.principal.process.command_line, `(?i)(gettickcount|getsystemtimeasfiletime|queryperformancecounter|ntquerysystemtime|timegettime|getsystemtime)`) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\timeout\.exe$`) and
        re.regex($e.principal.process.command_line, `/t\s+\d{3,}`)
      ) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\ping\.exe$`) and
        re.regex($e.principal.process.command_line, `-n\s+\d{3,}\s+127\.0\.0\.1`)
      ) or
      (
        re.regex($e.principal.process.command_line, `(?i)(start-sleep|wscript\.sleep|thread\.sleep)`) and
        not re.regex($e.principal.process.parent_process.file.full_path, `(?i)(svchost\.exe|explorer\.exe|taskhostw\.exe)$`)
      ) or
      re.regex($e.principal.process.command_line, `(?i)(lastbootuptime|net\s+statistics)`)
    )

  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle UDM ingestion Windows endpoint telemetry via Chronicle Forwarder Sysmon EventID 1 normalized to UDM PROCESS_LAUNCH

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Automated patch management systems querying lastbootuptime to determine whether a reboot is required after updates
PowerShell Desired State Configuration (DSC) scripts using Start-Sleep for convergence delays between resource applications
Security assessment and benchmarking tools referencing QueryPerformanceCounter or GetTickCount in process arguments during performance tests

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| CommandLine = /(?i)(gettickcount|getsystemtimeasfiletime|queryperformancecounter|ntquerysystemtime|timegettime|getsystemtime|start-sleep|wscript\.sleep|thread\.sleep|lastbootuptime|net\s+statistics)/
  OR (FileName = /(?i)^timeout\.exe$/ AND CommandLine = /\/t\s+\d{3,}/)
  OR (FileName = /(?i)^ping\.exe$/ AND CommandLine = /-n\s+\d{3,}\s+127\.0\.0\.1/)
| TimingAPICheck := if(CommandLine =~ /(?i)(gettickcount|getsystemtimeasfiletime|queryperformancecounter|ntquerysystemtime|timegettime|getsystemtime)/, 2, 0)
| LongTimeout := if(FileName =~ /(?i)^timeout\.exe$/ AND CommandLine =~ /\/t\s+\d{3,}/, 2, 0)
| LongPingSleep := if(FileName =~ /(?i)^ping\.exe$/ AND CommandLine =~ /-n\s+\d{3,}\s+127\.0\.0\.1/, 2, 0)
| ScriptSleep := if(CommandLine =~ /(?i)(start-sleep|wscript\.sleep|thread\.sleep)/, 1, 0)
| UptimeQuery := if(CommandLine =~ /(?i)(lastbootuptime|net\s+statistics)/, 1, 0)
| SuspicionScore := TimingAPICheck + LongTimeout + LongPingSleep + ScriptSleep + UptimeQuery
| SuspicionScore > 0
| select([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, TimingAPICheck, LongTimeout, LongPingSleep, ScriptSleep, UptimeQuery, SuspicionScore])
| sort(timestamp, order=desc)

medium severity medium confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events) Falcon Insight XDR process telemetry

Required Tables

ProcessRollup2

False Positives

IT automation frameworks (Ansible WinRM, Puppet, SaltStack) executing sleep-based retry logic via PowerShell or cmd on managed Windows endpoints
Software installers (e.g., Visual Studio redistributables, SQL Server setup) using ping-based delays to wait for services to initialize
Windows Performance Toolkit or custom benchmarking scripts invoking QueryPerformanceCounter for timing measurements passed as command-line arguments

Time Based Checks

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections