T1678 Splunk · SPL

Detect Delay Execution in Splunk

This detection identifies adversary attempts to delay malicious execution using time-based evasion techniques including ping-loop delays, programmatic sleep commands, timeout utilities, and API hammering patterns. Adversaries leverage these methods to evade automated sandbox analysis environments that enforce execution time limits, blend malicious activity with normal operational windows, and ensure prior-stage payloads have completed. Common patterns include high-iteration ping loops (e.g., 'ping 8.8.8.8 -n 70' as used by Mustang Panda), PowerShell Start-Sleep with extended durations, CMD timeout commands, Linux sleep invocations from scripting contexts, and repeated Native API function calls (NtDelayExecution) that serve no functional purpose beyond timing control.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1678 Delay Execution
Canonical reference
https://attack.mitre.org/techniques/T1678/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image_lower=lower(Image)
| eval cmdline=coalesce(CommandLine, "")
| where (
    (
        like(Image_lower, "%\\ping.exe")
        AND match(cmdline, "(?i)-n\\s+(3[0-9]|[4-9]\\d|\\d{3,})")
    )
    OR (
        (like(Image_lower, "%\\powershell.exe") OR like(Image_lower, "%\\pwsh.exe"))
        AND match(cmdline, "(?i)(Start-Sleep|sleep)\\s+(-[Ss]\\s+|-Seconds\\s+)?[3-9]\\d{2,}")
    )
    OR (
        like(Image_lower, "%\\timeout.exe")
        AND match(cmdline, "(?i)/t\\s+[3-9]\\d{2,}")
    )
    OR (
        (like(Image_lower, "%\\wscript.exe") OR like(Image_lower, "%\\cscript.exe"))
        AND match(cmdline, "(?i)WScript\\.Sleep\\s*\\(\\s*[3-9]\\d{5,}")
    )
)
| eval delay_type=case(
    like(Image_lower, "%\\ping.exe"), "ping-loop-delay",
    like(Image_lower, "%\\powershell.exe") OR like(Image_lower, "%\\pwsh.exe"), "powershell-sleep",
    like(Image_lower, "%\\timeout.exe"), "cmd-timeout-delay",
    like(Image_lower, "%\\wscript.exe") OR like(Image_lower, "%\\cscript.exe"), "wscript-sleep",
    true(), "other-delay"
)
| eval ping_count=if(like(Image_lower, "%\\ping.exe"), tonumber(replace(cmdline, ".*-n\\s+(\\d+).*", "\\1")), null())
| eval sleep_seconds=case(
    match(cmdline, "(?i)(?:Start-Sleep|-s|-Seconds)\\s+(\\d+)"),
    tonumber(replace(cmdline, ".*(?:Start-Sleep|-s|-Seconds)\\s+(\\d+).*", "\\1")),
    match(cmdline, "(?i)/t\\s+(\\d+)"),
    tonumber(replace(cmdline, ".*/t\\s+(\\d+).*", "\\1")),
    true(), null()
)
| table _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, delay_type, ping_count, sleep_seconds
| sort -_time
medium severity medium confidence

Detects delay execution techniques via Sysmon Process Create events (EventCode 1). Identifies ping-loop delays, PowerShell Start-Sleep, CMD timeout delays, and WScript.Sleep calls with thresholds set to filter out short operational waits. Parent process context is captured for execution chain analysis.

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Network operations team scripts pinging endpoints with high counts for availability testing
  • Software installers using timeout to wait for Windows services to restart after configuration
  • CI/CD pipeline scripts sleeping between health-check retry attempts during deployment
  • IT configuration management tools (Ansible, Chef, Puppet) using sleep for dependency sequencing
  • Monitoring agents using periodic sleep loops between polling intervals
Download portable Sigma rule (.yml)

Other platforms for T1678

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ping Loop Delay - Windows (Mustang Panda Pattern)

    Expected signal: DeviceProcessEvents: FileName=ping.exe, ProcessCommandLine contains '-n 60', followed by cmd.exe creating delay_test_marker.txt. Sysmon EventCode=1 for ping.exe with -n 60 parameter.

  2. Test 2PowerShell Start-Sleep Delay

    Expected signal: DeviceProcessEvents: FileName=powershell.exe, ProcessCommandLine contains 'Start-Sleep -Seconds 600'. PowerShell ScriptBlock log (Event 4104) will contain 'Start-Sleep -Seconds 600' if script block logging is enabled.

  3. Test 3CMD Timeout Delay Before Payload

    Expected signal: DeviceProcessEvents: FileName=timeout.exe, ProcessCommandLine contains '/t 600'. Parent process cmd.exe command line shows chained execution with &&.

  4. Test 4Linux Shell Sleep Delay

    Expected signal: Auditd execve syscall log showing sleep process with argument 600, parent process bash. Syslog entry if process accounting enabled.

  5. Test 5WScript.Sleep Delay via VBScript

    Expected signal: DeviceProcessEvents: FileName=cscript.exe with ProcessCommandLine referencing sleep_test.vbs in %TEMP%. Sysmon Event 1 with parent process and full command line.

Last updated: 2026-03-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1678 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1053Scheduled Task/JobT1564.012File/Path ExclusionsT1027.009Embedded PayloadsT1027.011Fileless StorageT1055.011Extra Window Memory InjectionT1218.011Rundll32

Same Tactic: Defense Evasion

Popular Detections