title: Delay Execution (T1678)
id: df00tech-t1678
status: experimental
description: "This detection identifies adversary attempts to delay malicious execution using time-based evasion techniques including ping-loop delays, programmatic sleep commands, timeout utilities, and API hammering patterns. Adversaries leverage these methods to evade automated sandbox analysis environments that enforce execution time limits, blend malicious activity with normal operational windows, and ensure prior-stage payloads have completed. Common patterns include high-iteration ping loops (e.g., 'ping 8.8.8.8 -n 70' as used by Mustang Panda), PowerShell Start-Sleep with extended durations, CMD timeout commands, Linux sleep invocations from scripting contexts, and repeated Native API function calls (NtDelayExecution) that serve no functional purpose beyond timing control."
references:
  - https://attack.mitre.org/techniques/T1678/
  - https://df00tech.com/detections/T1678
author: df00tech
date: 2026/03/20
tags:
  - attack.t1678
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Network diagnostic scripts legitimately using ping with high iteration counts for connectivity monitoring
  - IT automation tools and deployment scripts using sleep/timeout to wait for service readiness or restart completion
  - PowerShell-based health check scripts polling for application startup with Start-Sleep loops
  - Scheduled maintenance scripts using timeout to serialize sequential operations
  - Developer test scripts intentionally sleeping to simulate slow network conditions
level: medium