T1678

Delay Execution

Defense Evasion Last updated:

This detection identifies adversary attempts to delay malicious execution using time-based evasion techniques including ping-loop delays, programmatic sleep commands, timeout utilities, and API hammering patterns. Adversaries leverage these methods to evade automated sandbox analysis environments that enforce execution time limits, blend malicious activity with normal operational windows, and ensure prior-stage payloads have completed. Common patterns include high-iteration ping loops (e.g., 'ping 8.8.8.8 -n 70' as used by Mustang Panda), PowerShell Start-Sleep with extended durations, CMD timeout commands, Linux sleep invocations from scripting contexts, and repeated Native API function calls (NtDelayExecution) that serve no functional purpose beyond timing control.

What is T1678 Delay Execution?

Delay Execution (T1678) maps to the Defense Evasion tactic — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for Delay Execution, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1678 Delay Execution
Canonical reference
https://attack.mitre.org/techniques/T1678/
Microsoft Sentinel / Defender
kusto 
let PingLoopThreshold = 30;
let SleepThresholdSeconds = 300;
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (
    // Ping-based delay: high iteration count (Mustang Panda T1678 pattern)
    (
        FileName =~ "ping.exe"
        and ProcessCommandLine matches regex @"(?i)-n\s+(3[0-9]|[4-9]\d|\d{3,})"
    )
    // PowerShell Start-Sleep with 300+ seconds
    or (
        FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine matches regex @"(?i)(Start-Sleep|sleep)\s+(-Seconds\s+|-s\s+)?[3-9]\d{2,}"
    )
    // CMD timeout with 300+ seconds
    or (
        FileName =~ "timeout.exe"
        and ProcessCommandLine matches regex @"(?i)/t\s+[3-9]\d{2,}"
    )
    // Wscript/Cscript sleep via WScript.Sleep with 300000+ ms
    or (
        FileName in~ ("wscript.exe", "cscript.exe")
        and ProcessCommandLine matches regex @"(?i)WScript\.Sleep\s*\(\s*[3-9]\d{5,}"
    )
    // Bash/sh sleep on Linux/macOS
    or (
        FileName in~ ("sleep", "bash", "sh", "zsh", "python", "python3")
        and ProcessCommandLine matches regex @"(?i)(^|\s|;|&&|\|\|)sleep\s+[3-9]\d{2,}"
    )
)
| extend
    DelayMethod = case(
        FileName =~ "ping.exe", "ping-loop",
        FileName in~ ("powershell.exe", "pwsh.exe"), "powershell-sleep",
        FileName =~ "timeout.exe", "cmd-timeout",
        FileName in~ ("wscript.exe", "cscript.exe"), "wscript-sleep",
        "shell-sleep"
    ),
    PingCount = case(
        FileName =~ "ping.exe",
        toint(extract(@"(?i)-n\s+(\d+)", 1, ProcessCommandLine)),
        int(null)
    ),
    SleepSeconds = case(
        FileName in~ ("powershell.exe", "pwsh.exe"),
        toint(extract(@"(?i)(?:Start-Sleep|-s)\s+(\d+)", 1, ProcessCommandLine)),
        FileName =~ "timeout.exe",
        toint(extract(@"(?i)/t\s+(\d+)", 1, ProcessCommandLine)),
        int(null)
    )
| project
    TimeGenerated,
    DeviceName,
    DeviceId,
    AccountName,
    AccountDomain,
    FileName,
    FolderPath,
    ProcessCommandLine,
    ProcessId,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessFolderPath,
    InitiatingProcessId,
    InitiatingProcessParentFileName,
    DelayMethod,
    PingCount,
    SleepSeconds
| order by TimeGenerated desc

Detects execution of common delay techniques used by adversaries including high-iteration ping loops (>=30 counts), PowerShell Start-Sleep with durations >=300 seconds, CMD timeout with >=300 second delays, WScript.Sleep with >=300000 milliseconds, and shell sleep commands with long durations. Captures the parent process context to identify suspicious execution chains.

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

  • Network diagnostic scripts legitimately using ping with high iteration counts for connectivity monitoring
  • IT automation tools and deployment scripts using sleep/timeout to wait for service readiness or restart completion
  • PowerShell-based health check scripts polling for application startup with Start-Sleep loops
  • Scheduled maintenance scripts using timeout to serialize sequential operations
  • Developer test scripts intentionally sleeping to simulate slow network conditions

Sigma rule & cross-platform mapping

The detection logic for Delay Execution (T1678) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1678 Sigma rules on detection.fyi

Platform-specific guides for T1678

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-03-20 Research depth: deep
References (1)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ping Loop Delay - Windows (Mustang Panda Pattern)

    Expected signal: DeviceProcessEvents: FileName=ping.exe, ProcessCommandLine contains '-n 60', followed by cmd.exe creating delay_test_marker.txt. Sysmon EventCode=1 for ping.exe with -n 60 parameter.

  2. Test 2PowerShell Start-Sleep Delay

    Expected signal: DeviceProcessEvents: FileName=powershell.exe, ProcessCommandLine contains 'Start-Sleep -Seconds 600'. PowerShell ScriptBlock log (Event 4104) will contain 'Start-Sleep -Seconds 600' if script block logging is enabled.

  3. Test 3CMD Timeout Delay Before Payload

    Expected signal: DeviceProcessEvents: FileName=timeout.exe, ProcessCommandLine contains '/t 600'. Parent process cmd.exe command line shows chained execution with &&.

  4. Test 4Linux Shell Sleep Delay

    Expected signal: Auditd execve syscall log showing sleep process with argument 600, parent process bash. Syslog entry if process accounting enabled.

  5. Test 5WScript.Sleep Delay via VBScript

    Expected signal: DeviceProcessEvents: FileName=cscript.exe with ProcessCommandLine referencing sleep_test.vbs in %TEMP%. Sysmon Event 1 with parent process and full command line.

Unlock Pro Content

Get the full detection package for T1678 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0005Defense Evasion

Related Techniques

T1053Scheduled Task/JobT1564.012File/Path ExclusionsT1027.009Embedded PayloadsT1027.011Fileless StorageT1055.011Extra Window Memory InjectionT1218.011Rundll32

Same Tactic: Defense Evasion

Popular Detections