AN0396: Analytic 0396
Process creation involving suspicious delays (e.g., Sleep, ping -n loops, WaitForSingleObject), followed by sensitive system access or lateral movement behaviors.
Analyst context for executives and security teams
This analytic is about Windows processes that intentionally pause or delay execution, then proceed to sensitive system access or lateral movement behavior. For leaders, the value is not the delay itself; it is that timing gaps can be used to evade simple sandboxing, avoid immediate correlation, or make an intrusion sequence harder to reconstruct. This is a useful behavior to validate in managed detection and incident response readiness because it depends on whether endpoint and process telemetry can preserve context across time.
Executive priority
Prioritize this as a SOC and IR validation item for Windows environments where lateral movement and sensitive system access would create business disruption. Executives should ask whether detection engineering can correlate delayed process behavior with later high-risk actions, and whether incident responders can reconstruct the full process chain after a time gap. Because ATT&CK provides no official detection logic or relationship context for this analytic, it should support control validation and evidence collection rather than be treated as a standalone risk indicator.
Technical view
For Windows, validate visibility into process creation involving suspicious delay patterns such as Sleep-like behavior, ping-based wait loops, or WaitForSingleObject-style delays, especially when followed by sensitive system access or lateral movement behaviors. Since no tactics, relationships, or official detection text are supplied, SOC teams should treat this as a correlation use case: delayed execution is only meaningful when linked to later sensitive activity, parent-child process context, command-line evidence, and host/user context.
Likely telemetry
- Windows process creation events
- Process command-line arguments
- Parent-child process relationships
- Process timing and execution duration evidence
- Endpoint detection telemetry showing API or wait behavior where available
Detection direction
- Validate that process telemetry is retained long enough to correlate a suspicious delay with later activity on the same host, user, or process lineage.
- Tune detections to avoid alerting on delays alone; administrative scripts, installers, monitoring tools, and maintenance jobs may legitimately use wait loops or sleep functions.
- Look for combinations: delay indicators followed by sensitive system access or lateral movement behavior, rather than isolated use of ping, sleep, or wait functions.
- Confirm whether current EDR/SIEM parsing captures command lines, parent process context, timestamps, and process lineage needed for this analytic.
- Document blind spots where endpoint telemetry cannot expose wait APIs or where short retention breaks delayed-sequence correlation.
Mitigation priorities
- Ensure Windows endpoint logging and process creation telemetry are enabled and retained for correlation across time gaps.
- Strengthen least-privilege and access controls around sensitive systems so delayed execution does not automatically translate into high-impact access.
- Use detection engineering to correlate delayed process behavior with later sensitive access or lateral movement indicators, rather than relying on single-event signatures.
- Include delayed-execution process chains in incident response playbooks and tabletop evidence checks.
- Review exceptions for legitimate automation or administrative tooling so tuning does not suppress suspicious delayed sequences broadly.
Analyst notes and limits
This object is a detection analytic, AN0396, for Windows. The official description is narrow: suspicious process delays followed by sensitive system access or lateral movement behaviors. No ATT&CK tactics, detection text, relationships, aliases, or labels were supplied, so the take focuses on defensive validation, telemetry requirements, and correlation design.
No official detection logic, data sources, tactics, related techniques, procedures, or adversary relationships were provided. Local baselines are required to distinguish legitimate delayed execution from suspicious delayed process chains. This summary does not imply active exploitation, attribution, or guaranteed detection coverage.
Analytic 0396
Process creation involving suspicious delays (e.g., Sleep, ping -n loops, WaitForSingleObject), followed by sensitive system access or lateral movement behaviors.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a85192a1a4db… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0396Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.