Detect Delay Execution in Microsoft Sentinel
This detection identifies adversary attempts to delay malicious execution using time-based evasion techniques including ping-loop delays, programmatic sleep commands, timeout utilities, and API hammering patterns. Adversaries leverage these methods to evade automated sandbox analysis environments that enforce execution time limits, blend malicious activity with normal operational windows, and ensure prior-stage payloads have completed. Common patterns include high-iteration ping loops (e.g., 'ping 8.8.8.8 -n 70' as used by Mustang Panda), PowerShell Start-Sleep with extended durations, CMD timeout commands, Linux sleep invocations from scripting contexts, and repeated Native API function calls (NtDelayExecution) that serve no functional purpose beyond timing control.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1678 Delay Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1678/
KQL Detection Query
let PingLoopThreshold = 30;
let SleepThresholdSeconds = 300;
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (
// Ping-based delay: high iteration count (Mustang Panda T1678 pattern)
(
FileName =~ "ping.exe"
and ProcessCommandLine matches regex @"(?i)-n\s+(3[0-9]|[4-9]\d|\d{3,})"
)
// PowerShell Start-Sleep with 300+ seconds
or (
FileName in~ ("powershell.exe", "pwsh.exe")
and ProcessCommandLine matches regex @"(?i)(Start-Sleep|sleep)\s+(-Seconds\s+|-s\s+)?[3-9]\d{2,}"
)
// CMD timeout with 300+ seconds
or (
FileName =~ "timeout.exe"
and ProcessCommandLine matches regex @"(?i)/t\s+[3-9]\d{2,}"
)
// Wscript/Cscript sleep via WScript.Sleep with 300000+ ms
or (
FileName in~ ("wscript.exe", "cscript.exe")
and ProcessCommandLine matches regex @"(?i)WScript\.Sleep\s*\(\s*[3-9]\d{5,}"
)
// Bash/sh sleep on Linux/macOS
or (
FileName in~ ("sleep", "bash", "sh", "zsh", "python", "python3")
and ProcessCommandLine matches regex @"(?i)(^|\s|;|&&|\|\|)sleep\s+[3-9]\d{2,}"
)
)
| extend
DelayMethod = case(
FileName =~ "ping.exe", "ping-loop",
FileName in~ ("powershell.exe", "pwsh.exe"), "powershell-sleep",
FileName =~ "timeout.exe", "cmd-timeout",
FileName in~ ("wscript.exe", "cscript.exe"), "wscript-sleep",
"shell-sleep"
),
PingCount = case(
FileName =~ "ping.exe",
toint(extract(@"(?i)-n\s+(\d+)", 1, ProcessCommandLine)),
int(null)
),
SleepSeconds = case(
FileName in~ ("powershell.exe", "pwsh.exe"),
toint(extract(@"(?i)(?:Start-Sleep|-s)\s+(\d+)", 1, ProcessCommandLine)),
FileName =~ "timeout.exe",
toint(extract(@"(?i)/t\s+(\d+)", 1, ProcessCommandLine)),
int(null)
)
| project
TimeGenerated,
DeviceName,
DeviceId,
AccountName,
AccountDomain,
FileName,
FolderPath,
ProcessCommandLine,
ProcessId,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessFolderPath,
InitiatingProcessId,
InitiatingProcessParentFileName,
DelayMethod,
PingCount,
SleepSeconds
| order by TimeGenerated descDetects execution of common delay techniques used by adversaries including high-iteration ping loops (>=30 counts), PowerShell Start-Sleep with durations >=300 seconds, CMD timeout with >=300 second delays, WScript.Sleep with >=300000 milliseconds, and shell sleep commands with long durations. Captures the parent process context to identify suspicious execution chains.
Data Sources
Required Tables
False Positives & Tuning
- Network diagnostic scripts legitimately using ping with high iteration counts for connectivity monitoring
- IT automation tools and deployment scripts using sleep/timeout to wait for service readiness or restart completion
- PowerShell-based health check scripts polling for application startup with Start-Sleep loops
- Scheduled maintenance scripts using timeout to serialize sequential operations
- Developer test scripts intentionally sleeping to simulate slow network conditions
Other platforms for T1678
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Ping Loop Delay - Windows (Mustang Panda Pattern)
Expected signal: DeviceProcessEvents: FileName=ping.exe, ProcessCommandLine contains '-n 60', followed by cmd.exe creating delay_test_marker.txt. Sysmon EventCode=1 for ping.exe with -n 60 parameter.
- Test 2PowerShell Start-Sleep Delay
Expected signal: DeviceProcessEvents: FileName=powershell.exe, ProcessCommandLine contains 'Start-Sleep -Seconds 600'. PowerShell ScriptBlock log (Event 4104) will contain 'Start-Sleep -Seconds 600' if script block logging is enabled.
- Test 3CMD Timeout Delay Before Payload
Expected signal: DeviceProcessEvents: FileName=timeout.exe, ProcessCommandLine contains '/t 600'. Parent process cmd.exe command line shows chained execution with &&.
- Test 4Linux Shell Sleep Delay
Expected signal: Auditd execve syscall log showing sleep process with argument 600, parent process bash. Syslog entry if process accounting enabled.
- Test 5WScript.Sleep Delay via VBScript
Expected signal: DeviceProcessEvents: FileName=cscript.exe with ProcessCommandLine referencing sleep_test.vbs in %TEMP%. Sysmon Event 1 with parent process and full command line.
References (5)
- https://attack.mitre.org/techniques/T1678/
- https://www.zscaler.com/blogs/security-research/analysis-of-toneshell-backdoor-used-by-mustang-panda
- https://www.welivesecurity.com/en/eset-research/mustang-panda-cyberespionage-group-targets-europe/
- https://www.joesecurity.org/blog/3660857253354085862
- https://www.netskope.com/blog/nitol-bot-making-use-of-github-to-spread-infostealers
Unlock Pro Content
Get the full detection package for T1678 including response playbook, investigation guide, and atomic red team tests.