| Item |
Value |
| ID |
DET0372 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1678 (Delay Execution)
Analytics
Windows
AN1048
Correlated use of sleep/delay mechanisms (e.g., kernel32!Sleep, NTDLL APIs) in short-lived processes, combined with parent processes invoking suspicious scripts (e.g., wscript, powershell) with minimal user interaction.
Log Sources
Mutable Elements
| Field |
Description |
| TimeWindow |
Delay duration that distinguishes benign scripts from evasive behavior. |
| ParentProcessName |
Legitimate parent-child combinations may differ across environments. |
| SleepFunctionPattern |
Different APIs may be used to invoke sleep (e.g., Sleep, NtDelayExecution). |
Linux
AN1049
Shell scripts or binaries invoking repeated ‘sleep’, ‘ping’, or low-level syscalls (e.g., nanosleep) in short-lived execution chains with no user or system interaction. Frequently seen in malicious cron jobs or payload stagers.
Log Sources
Mutable Elements
| Field |
Description |
| CommandLineRegex |
Environment-specific delay scripts may vary (sleep 300, ping -n 60, etc.). |
| TimeBetweenSyscalls |
Threshold for determining if delay is artificially extended. |
| UserContext |
Root vs. service user context alters risk profile. |
macOS
AN1050
Execution of AppleScript, bash, or launchd jobs that invoke delay functions (e.g., sleep, delay in AppleScript) with limited parent interaction and staged follow-on commands.
Log Sources
Mutable Elements
| Field |
Description |
| ScriptPattern |
AppleScript vs shell scripts differ per threat and org. |
| UserContext |
Execution under user vs daemon context changes severity. |
| DelayDurationThreshold |
Amount of delay that distinguishes benign usage vs evasion. |