T1678 Sumo Logic CSE · Sumo

Detect Delay Execution in Sumo Logic CSE

This detection identifies adversary attempts to delay malicious execution using time-based evasion techniques including ping-loop delays, programmatic sleep commands, timeout utilities, and API hammering patterns. Adversaries leverage these methods to evade automated sandbox analysis environments that enforce execution time limits, blend malicious activity with normal operational windows, and ensure prior-stage payloads have completed. Common patterns include high-iteration ping loops (e.g., 'ping 8.8.8.8 -n 70' as used by Mustang Panda), PowerShell Start-Sleep with extended durations, CMD timeout commands, Linux sleep invocations from scripting contexts, and repeated Native API function calls (NtDelayExecution) that serve no functional purpose beyond timing control.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1678 Delay Execution
Canonical reference
https://attack.mitre.org/techniques/T1678/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score
medium severity medium confidence

Sumo Logic detection for Delay Execution (T1678). Identifies adversary delay execution behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.

Data Sources

Sumo Logic Cloud SIEMWindows Event LogsEndpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives & Tuning

  • Network diagnostic scripts legitimately using ping with high iteration counts for connectivity monitoring
  • IT automation tools and deployment scripts using sleep/timeout to wait for service readiness or restart completion
  • PowerShell-based health check scripts polling for application startup with Start-Sleep loops
Download portable Sigma rule (.yml)

Other platforms for T1678

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ping Loop Delay - Windows (Mustang Panda Pattern)

    Expected signal: DeviceProcessEvents: FileName=ping.exe, ProcessCommandLine contains '-n 60', followed by cmd.exe creating delay_test_marker.txt. Sysmon EventCode=1 for ping.exe with -n 60 parameter.

  2. Test 2PowerShell Start-Sleep Delay

    Expected signal: DeviceProcessEvents: FileName=powershell.exe, ProcessCommandLine contains 'Start-Sleep -Seconds 600'. PowerShell ScriptBlock log (Event 4104) will contain 'Start-Sleep -Seconds 600' if script block logging is enabled.

  3. Test 3CMD Timeout Delay Before Payload

    Expected signal: DeviceProcessEvents: FileName=timeout.exe, ProcessCommandLine contains '/t 600'. Parent process cmd.exe command line shows chained execution with &&.

  4. Test 4Linux Shell Sleep Delay

    Expected signal: Auditd execve syscall log showing sleep process with argument 600, parent process bash. Syslog entry if process accounting enabled.

  5. Test 5WScript.Sleep Delay via VBScript

    Expected signal: DeviceProcessEvents: FileName=cscript.exe with ProcessCommandLine referencing sleep_test.vbs in %TEMP%. Sysmon Event 1 with parent process and full command line.

Last updated: 2026-03-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1678 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1053Scheduled Task/JobT1564.012File/Path ExclusionsT1027.009Embedded PayloadsT1027.011Fileless StorageT1055.011Extra Window Memory InjectionT1218.011Rundll32

Same Tactic: Defense Evasion

Popular Detections