AN0397: Analytic 0397

Script-based execution of sleep loops or time delay commands (e.g., sleep, ping delay, while-loops) followed by file creation or network connections.

EnterpriseAN0397AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because delayed execution can make suspicious Linux activity harder to connect in time: a script may wait using sleep-style loops and then create files or open network connections. For leaders, the value is not in the command itself, but in whether the SOC can correlate delayed process behavior with later file or network activity during an investigation.

Executive priority

Prioritize this as a validation point for Linux monitoring and incident response readiness. It helps answer whether teams can reconstruct suspicious script behavior across time, which supports containment decisions, audit evidence, and confidence in managed detection coverage. Because no tactic, relationship context, or official detection logic is supplied, it should be treated as a coverage assessment item rather than a standalone risk conclusion.

Technical view

For Linux environments, validate whether telemetry can link script execution, time-delay constructs such as sleep or loop behavior, and subsequent file creation or network connections under the same process tree, user, host, or session. Detection engineering should focus on correlation and sequencing rather than simply alerting on delay commands, which are common in legitimate administration and automation.

Likely telemetry

Linux process execution events, including command line where available
Parent-child process relationships and script interpreter activity
File creation events following delayed script execution
Network connection events following delayed script execution
User, host, session, and timestamp context for correlation

Detection direction

Validate that process, file, and network telemetry are retained long enough to correlate delayed activity.
Tune for suspicious sequences: script or shell execution using delay behavior followed by file creation or outbound network connection.
Avoid treating sleep or loop commands alone as high-confidence malicious activity; they are common in legitimate scripts.
Review gaps where command-line logging, process lineage, file event collection, or network connection logging is incomplete on Linux systems.
Because no official detection text or ATT&CK relationships are supplied, require local baselining and analyst review before operationalizing alerts.

Mitigation priorities

Ensure Linux endpoint logging captures process lineage, command line where appropriate, file creation, and network connection metadata.
Baseline legitimate administrative scripts and scheduled automation that use delay loops.
Use least privilege and script execution governance to reduce unnecessary ability to create files or initiate network connections from untrusted script contexts.
Confirm incident response playbooks include timeline reconstruction across process, file, and network evidence.
Retain relevant telemetry long enough to investigate delayed sequences.

Analyst notes and limits

This object is a detection analytic, not a technique, and the supplied ATT&CK fields provide only a description, Linux platform, and external reference. The most defensible use is to guide telemetry validation and correlation logic for delayed script behavior followed by file or network activity.

No official detection logic, tactics, related techniques, data sources, mitigations, procedures, or threat relationships were supplied. Conclusions about maliciousness, priority, exposure, or coverage require local environment evidence and testing.

Official MITRE ATT&CK definition

Analytic 0397

Script-based execution of sleep loops or time delay commands (e.g., sleep, ping delay, while-loops) followed by file creation or network connections.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 4312b5a05c347524...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`4312b5a05c34…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0397
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use