Description
Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing mechanisms to obscure malicious activity, blend in with benign activity, and avoid scrutiny. Adversaries can perform this behavior within virtualization/sandbox environments or natively on host systems.
Adversaries may utilize programmatic sleep commands or native system scheduling functionality, for example Scheduled Task/Job. Benign commands or other operations may also be used to delay malware execution or ensure prior commands have had time to execute properly. Loops or otherwise needless repetitions of commands, such as ping, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)
Platforms
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has utilized the Sleep function to ensure execution of scripts.(Citation: Gen Digital Kimsuky HTTPTro... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has delayed the execution of payloads leveraging ping echo requests `cmd /c ping 8.8.8.8 -n 70&... |
Associated Software (16)
| ID | Name | Type | Context |
|---|---|---|---|
| S9032 | MuddyViper | Malware | [MuddyViper](https://attack.mitre.org/software/S9032) has the ability to sleep for a certain amount of time, with the default being one minute.(Citati... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has the ability to pause operations for a specified duration prior to follow-on execution of acti... |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has used delayed execution to pause for a defined interval before performing environment disco... |
| S9008 | Shai-Hulud | Malware | [Shai-Hulud](https://attack.mitre.org/software/S9008) has delayed execution of its larger payloads by forking itself into background process.(Citation... |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has used a timeout function set to `9e5` which delays execution 900,000 milliseconds or 15 minute... |
| S9014 | PHASEJAM | Malware | [PHASEJAM](https://attack.mitre.org/software/S9014) has used the `sleep` command within its code to generate a fake HTML upgrade progress bar that mim... |
| S9037 | RustyWater | Malware | [RustyWater](https://attack.mitre.org/software/S9037) has generated random sleep intervals between C2 communication.(Citation: CloudSEK_RustyWater_Jan... |
| S9001 | SystemBC | Malware | [SystemBC](https://attack.mitre.org/software/S9001) has leveraged the Sleep functions before and after commands to ensure execution using the hexadeci... |
| S1230 | HIUPAN | Malware | [HIUPAN](https://attack.mitre.org/software/S1230) has used a config file “$.ini” to store a sleep multiplier to execute at a set interval value prior ... |
| S9015 | BRICKSTORM | Malware | [BRICKSTORM](https://attack.mitre.org/software/S9015) has embedded delayed-start logic that attempts to circumvent detection for long-term persistence... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) has the ability to delay execution.(Citation: Trend Micro Agenda Ransomware OCT 2025) |
| S9033 | Fooder | Malware | [Fooder](https://attack.mitre.org/software/S9033) has used a custom delay function (`delayExecution(integer)`) and Sleep API calls (`Sleep(integer)`) ... |
| S9038 | DynoWiper | Malware | [DynoWiper](https://attack.mitre.org/software/S9038) has utilized a five-second delay using `Sleep(5000)` between two of the three phases of the attac... |
| S0275 | UPPERCUT | Malware | [UPPERCUT](https://attack.mitre.org/software/S0275) can use a sleep function to delay execution.(Citation: Trend Micro Earth Kasha Updates APR 2025)(C... |
| S9019 | PureCrypter | Malware | [PureCrypter](https://attack.mitre.org/software/S9019) has the ability to delay for a specified number of seconds before execution.(Citation: Zscaler ... |
| S9031 | AshTag | Malware | [AshTag](https://attack.mitre.org/software/S9031) can use a set sleep time to delay C2 beaconing.(Citation: Palo Alto Ashen Lepus DEC 2025) |
References
- Joe Security. (2016, April 21). Nymaim - evading Sandboxes with API hammering. Retrieved September 30, 2021.
- Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.
- Loman, M. et al. (2021, July 4). Independence Day: REvil uses supply chain exploit to attack hundreds of businesses. Retrieved September 30, 2021.
- Malik, A. (2016, October 14). Nitol Botnet makes a resurgence with evasive sandbox analysis technique. Retrieved September 30, 2021.
Frequently Asked Questions
What is T1678 (Delay Execution)?
T1678 is a MITRE ATT&CK technique named 'Delay Execution'. It belongs to the Stealth tactic(s). Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing mechanisms to obscure malicious activity, blend in wi...
How can T1678 be detected?
Detection of T1678 (Delay Execution) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1678?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1678?
Known threat groups using T1678 include: Kimsuky, Mustang Panda.