MITRE ATT&CK Technique
Description
Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing mechanisms to obscure malicious activity, blend in with benign activity, and avoid scrutiny. Adversaries can perform this behavior within virtualization/sandbox environments or natively on host systems. Adversaries may utilize programmatic `sleep` commands or native system scheduling functionality, for example [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053). Benign commands or other operations may also be used to delay malware execution or ensure prior commands have had time to execute properly. Loops or otherwise needless repetitions of commands, such as `ping`, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2025-09-24T18:03:15.021Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may employ various time-based methods to evade '
'detection and analysis. These techniques often exploit system '
'clocks, delays, or timing mechanisms to obscure malicious '
'activity, blend in with benign activity, and avoid scrutiny. '
'Adversaries can perform this behavior within '
'virtualization/sandbox environments or natively on host '
'systems. \n'
'\n'
'Adversaries may utilize programmatic `sleep` commands or '
'native system scheduling functionality, for example '
'[Scheduled '
'Task/Job](https://attack.mitre.org/techniques/T1053). Benign '
'commands or other operations may also be used to delay '
'malware execution or ensure prior commands have had time to '
'execute properly. Loops or otherwise needless repetitions of '
'commands, such as `ping`, may be used to delay malware '
'execution and potentially exceed time thresholds of automated '
'analysis environments.(Citation: Revil Independence '
'Day)(Citation: Netskope Nitol) Another variation, commonly '
'referred to as API hammering, involves making various calls '
'to Native API functions in order to delay execution (while '
'also potentially overloading analysis environments with junk '
'data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)',
'external_references': [{'external_id': 'T1678',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1678'},
{'description': 'Joe Security. (2016, April 21). '
'Nymaim - evading Sandboxes with API '
'hammering. Retrieved September 30, '
'2021.',
'source_name': 'Joe Sec Nymaim',
'url': 'https://www.joesecurity.org/blog/3660886847485093803'},
{'description': 'Joe Security. (2020, July 13). '
"TrickBot's new API-Hammering "
'explained. Retrieved September 30, '
'2021.',
'source_name': 'Joe Sec Trickbot',
'url': 'https://www.joesecurity.org/blog/498839998833561473'},
{'description': 'Loman, M. et al. (2021, July 4). '
'Independence Day: REvil uses supply '
'chain exploit to attack hundreds of '
'businesses. Retrieved September 30, '
'2021.',
'source_name': 'Revil Independence Day',
'url': 'https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/'},
{'description': 'Malik, A. (2016, October 14). Nitol '
'Botnet makes a resurgence with '
'evasive sandbox analysis technique. '
'Retrieved September 30, 2021.',
'source_name': 'Netskope Nitol',
'url': 'https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique'}],
'id': 'attack-pattern--a1df809c-7d0e-459f-8fe5-25474bab770b',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-21T23:58:09.956Z',
'name': 'Delay Execution',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Deloitte Threat Library Team',
'Jeff Felling, Red Canary',
'Jorge Orchilles, SCYTHE',
'Ruben Dodge, @shotgunner101'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.0'}