AN0398: Analytic 0398
Use of `usleep`, `nanosleep`, or `NSTimer` calls in executables or binaries with no GUI interaction, especially followed by disk/network activity.
Analyst context for executives and security teams
This analytic highlights a macOS detection opportunity around command-line or background executables that call sleep/timer functions such as `usleep`, `nanosleep`, or `NSTimer` without GUI interaction, particularly when that delay is followed by disk or network activity. For leaders, the value is not the function call alone; it is whether the SOC can distinguish normal background timing behavior from suspicious delayed execution patterns that may affect investigation speed and response confidence.
Executive priority
Prioritize this as a macOS endpoint visibility and SOC-readiness question. Security leaders should ask whether managed detection, EDR, and telemetry pipelines can correlate process behavior, timer/sleep usage, user interaction context, and subsequent disk or network activity. Because ATT&CK provides no tactic, relationship context, or formal detection logic here, this should be treated as a validation item for coverage and evidence quality rather than a standalone high-confidence risk signal.
Technical view
For macOS, validate whether endpoint telemetry can identify executables or binaries using `usleep`, `nanosleep`, or `NSTimer`, determine whether the process has GUI interaction, and correlate later disk or network activity. Detection engineering should avoid treating sleep/timer calls as inherently malicious; they are common in legitimate software. The stronger analytic direction is behavioral correlation: non-GUI process, timer/sleep behavior, then meaningful file or network activity within a defined time window.
Likely telemetry
- macOS process execution telemetry
- Endpoint or EDR behavioral telemetry showing API/function usage or equivalent runtime indicators
- Process ancestry and command-line context
- Signals indicating GUI versus non-GUI process interaction where available
- File creation, modification, or other disk activity following execution delay
Detection direction
- Validate whether current macOS telemetry can observe or infer use of `usleep`, `nanosleep`, or `NSTimer`; many environments may not collect this directly.
- Correlate sleep/timer behavior with lack of GUI interaction and subsequent disk or network activity rather than alerting on the function call alone.
- Tune against legitimate daemons, agents, installers, updaters, and scheduled background applications that commonly sleep or use timers.
- Review process lineage, binary location, signing status, and recurrence patterns to separate expected background behavior from unusual executable activity.
- Because no ATT&CK relationship context or official detection logic is supplied, test this analytic with local baseline data before using it for alert severity decisions.
Mitigation priorities
- Ensure macOS endpoint monitoring captures process, file, and network activity with enough retention to reconstruct delayed behavior.
- Maintain an allowlist or baseline of expected signed background services, agents, and enterprise tools that legitimately use timers or sleep calls.
- Use application control, code-signing policy, and least-privilege controls where appropriate to reduce execution of untrusted binaries.
- Document telemetry coverage and analytic assumptions as compliance and incident-response evidence, especially where macOS systems are business-critical.
- Feed confirmed suspicious cases back into detection tuning and incident response playbooks rather than relying on this analytic as a standalone control.
Analyst notes and limits
This object is a detection analytic, AN0398, for the enterprise ATT&CK domain and macOS platform. The official description is limited to use of `usleep`, `nanosleep`, or `NSTimer` in executables or binaries with no GUI interaction, especially followed by disk or network activity. No tactics, relationships, aliases, labels, or official detection text were supplied.
The supplied ATT&CK fields do not identify an associated technique, tactic, adversary behavior, impact, or active exploitation. Detection feasibility depends heavily on local macOS telemetry depth; many tools may only show process, file, and network effects rather than direct API/function usage. Local baselining is required to manage false positives.
Analytic 0398
Use of `usleep`, `nanosleep`, or `NSTimer` calls in executables or binaries with no GUI interaction, especially followed by disk/network activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d38abb12e191… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0398Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.