T1678 Delay Execution Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let PingLoopThreshold = 30;
let SleepThresholdSeconds = 300;
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (
    // Ping-based delay: high iteration count (Mustang Panda T1678 pattern)
    (
        FileName =~ "ping.exe"
        and ProcessCommandLine matches regex @"(?i)-n\s+(3[0-9]|[4-9]\d|\d{3,})"
    )
    // PowerShell Start-Sleep with 300+ seconds
    or (
        FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine matches regex @"(?i)(Start-Sleep|sleep)\s+(-Seconds\s+|-s\s+)?[3-9]\d{2,}"
    )
    // CMD timeout with 300+ seconds
    or (
        FileName =~ "timeout.exe"
        and ProcessCommandLine matches regex @"(?i)/t\s+[3-9]\d{2,}"
    )
    // Wscript/Cscript sleep via WScript.Sleep with 300000+ ms
    or (
        FileName in~ ("wscript.exe", "cscript.exe")
        and ProcessCommandLine matches regex @"(?i)WScript\.Sleep\s*\(\s*[3-9]\d{5,}"
    )
    // Bash/sh sleep on Linux/macOS
    or (
        FileName in~ ("sleep", "bash", "sh", "zsh", "python", "python3")
        and ProcessCommandLine matches regex @"(?i)(^|\s|;|&&|\|\|)sleep\s+[3-9]\d{2,}"
    )
)
| extend
    DelayMethod = case(
        FileName =~ "ping.exe", "ping-loop",
        FileName in~ ("powershell.exe", "pwsh.exe"), "powershell-sleep",
        FileName =~ "timeout.exe", "cmd-timeout",
        FileName in~ ("wscript.exe", "cscript.exe"), "wscript-sleep",
        "shell-sleep"
    ),
    PingCount = case(
        FileName =~ "ping.exe",
        toint(extract(@"(?i)-n\s+(\d+)", 1, ProcessCommandLine)),
        int(null)
    ),
    SleepSeconds = case(
        FileName in~ ("powershell.exe", "pwsh.exe"),
        toint(extract(@"(?i)(?:Start-Sleep|-s)\s+(\d+)", 1, ProcessCommandLine)),
        FileName =~ "timeout.exe",
        toint(extract(@"(?i)/t\s+(\d+)", 1, ProcessCommandLine)),
        int(null)
    )
| project
    TimeGenerated,
    DeviceName,
    DeviceId,
    AccountName,
    AccountDomain,
    FileName,
    FolderPath,
    ProcessCommandLine,
    ProcessId,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessFolderPath,
    InitiatingProcessId,
    InitiatingProcessParentFileName,
    DelayMethod,
    PingCount,
    SleepSeconds
| order by TimeGenerated desc

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Network diagnostic scripts legitimately using ping with high iteration counts for connectivity monitoring
IT automation tools and deployment scripts using sleep/timeout to wait for service readiness or restart completion
PowerShell-based health check scripts polling for application startup with Start-Sleep loops
Scheduled maintenance scripts using timeout to serialize sequential operations
Developer test scripts intentionally sleeping to simulate slow network conditions

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image_lower=lower(Image)
| eval cmdline=coalesce(CommandLine, "")
| where (
    (
        like(Image_lower, "%\\ping.exe")
        AND match(cmdline, "(?i)-n\\s+(3[0-9]|[4-9]\\d|\\d{3,})")
    )
    OR (
        (like(Image_lower, "%\\powershell.exe") OR like(Image_lower, "%\\pwsh.exe"))
        AND match(cmdline, "(?i)(Start-Sleep|sleep)\\s+(-[Ss]\\s+|-Seconds\\s+)?[3-9]\\d{2,}")
    )
    OR (
        like(Image_lower, "%\\timeout.exe")
        AND match(cmdline, "(?i)/t\\s+[3-9]\\d{2,}")
    )
    OR (
        (like(Image_lower, "%\\wscript.exe") OR like(Image_lower, "%\\cscript.exe"))
        AND match(cmdline, "(?i)WScript\\.Sleep\\s*\\(\\s*[3-9]\\d{5,}")
    )
)
| eval delay_type=case(
    like(Image_lower, "%\\ping.exe"), "ping-loop-delay",
    like(Image_lower, "%\\powershell.exe") OR like(Image_lower, "%\\pwsh.exe"), "powershell-sleep",
    like(Image_lower, "%\\timeout.exe"), "cmd-timeout-delay",
    like(Image_lower, "%\\wscript.exe") OR like(Image_lower, "%\\cscript.exe"), "wscript-sleep",
    true(), "other-delay"
)
| eval ping_count=if(like(Image_lower, "%\\ping.exe"), tonumber(replace(cmdline, ".*-n\\s+(\\d+).*", "\\1")), null())
| eval sleep_seconds=case(
    match(cmdline, "(?i)(?:Start-Sleep|-s|-Seconds)\\s+(\\d+)"),
    tonumber(replace(cmdline, ".*(?:Start-Sleep|-s|-Seconds)\\s+(\\d+).*", "\\1")),
    match(cmdline, "(?i)/t\\s+(\\d+)"),
    tonumber(replace(cmdline, ".*/t\\s+(\\d+).*", "\\1")),
    true(), null()
)
| table _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, delay_type, ping_count, sleep_seconds
| sort -_time

medium severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Network operations team scripts pinging endpoints with high counts for availability testing
Software installers using timeout to wait for Windows services to restart after configuration
CI/CD pipeline scripts sleeping between health-check retry attempts during deployment
IT configuration management tools (Ansible, Chef, Puppet) using sleep for dependency sequencing
Monitoring agents using periodic sleep loops between polling intervals

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1678*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

Network diagnostic scripts legitimately using ping with high iteration counts for connectivity monitoring
IT automation tools and deployment scripts using sleep/timeout to wait for service readiness or restart completion
PowerShell-based health check scripts polling for application startup with Start-Sleep loops

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

medium severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Network diagnostic scripts legitimately using ping with high iteration counts for connectivity monitoring
IT automation tools and deployment scripts using sleep/timeout to wait for service readiness or restart completion
PowerShell-based health check scripts polling for application startup with Start-Sleep loops

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

Network diagnostic scripts legitimately using ping with high iteration counts for connectivity monitoring
IT automation tools and deployment scripts using sleep/timeout to wait for service readiness or restart completion
PowerShell-based health check scripts polling for application startup with Start-Sleep loops

Google Chronicle / SecOps

yaral

rule detection_t1678 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Delay Execution - T1678"
    severity = "HIGH"
    mitre_attack = "T1678"
    reference = "https://attack.mitre.org/techniques/T1678/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

medium severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

Network diagnostic scripts legitimately using ping with high iteration counts for connectivity monitoring
IT automation tools and deployment scripts using sleep/timeout to wait for service readiness or restart completion
PowerShell-based health check scripts polling for application startup with Start-Sleep loops

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Network diagnostic scripts legitimately using ping with high iteration counts for connectivity monitoring
IT automation tools and deployment scripts using sleep/timeout to wait for service readiness or restart completion
PowerShell-based health check scripts polling for application startup with Start-Sleep loops

Delay Execution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections