1. Home
  2. Detection Strategies
  3. Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution

Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution

Technique Detected:  Time Based Checks | T1497.003

ID: DET0141
Domains: Enterprise
Analytics: AN0396, AN0397, AN0398
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0396

Process creation involving suspicious delays (e.g., Sleep, ping -n loops, WaitForSingleObject), followed by sensitive system access or lateral movement behaviors.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Mutable Elements
Field Description
SleepDurationThreshold Defines maximum allowable sleep duration in milliseconds before triggering anomaly detection.
TimeBetweenExecutionAndNextStage Temporal window between initial process and next stage (e.g., lateral movement or persistence), used to correlate dormant activity.
UserContext Whether the activity occurs in SYSTEM or user context may affect legitimacy scoring.

AN0397

Script-based execution of sleep loops or time delay commands (e.g., sleep, ping delay, while-loops) followed by file creation or network connections.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve of sleep or ping command within script interpreted by bash/python
File Metadata (DC0059) auditd:SYSCALL file write after sleep delay
Mutable Elements
Field Description
SleepLoopCount Defines how many loop iterations or sleep cycles are considered anomalous in the monitored environment.
ExecutionScriptType Identifies which scripting interpreter is used (e.g., bash, python, perl) to adjust detection logic.

AN0398

Use of usleep, nanosleep, or NSTimer calls in executables or binaries with no GUI interaction, especially followed by disk/network activity.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) macos:unifiedlog application logs referencing NSTimer, sleep, or launchd delays
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
AppBundleIdentifier Correlate with known/expected signed apps vs. unsigned binaries to reduce noise.
TimeToNextEvent Minimum time expected between process start and observable I/O for normal apps.