DET0372: Multi-Platform Detection Strategy for T1678 - Delay Execution
DET0372 is a MITRE detection strategy placeholder for detecting Delay Execution (T1678), a stealth behavior where adversaries use time-based delays, system...
Analyst context for executives and security teams
DET0372 is a MITRE detection strategy placeholder for detecting Delay Execution (T1678), a stealth behavior where adversaries use time-based delays, system clocks, sleep logic, or scheduling mechanisms to make malicious activity harder to analyze or correlate. For leaders, the practical issue is not the delay itself; it is whether security operations can connect events that are intentionally separated in time across Linux, macOS, and Windows systems.
Executive priority
Treat this as a validation point for SOC and incident response readiness. Delayed execution can weaken sandbox analysis, alert correlation, and incident timelines if teams only inspect short time windows. Security leaders should ask whether endpoint, process, command, and scheduling telemetry is retained long enough, correlated well enough, and available quickly enough to support investigations and audit evidence after suspicious activity is intentionally deferred.
Technical view
The supplied ATT&CK object has no official detection text and no platforms of its own, but it detects T1678 Delay Execution, which is associated with Linux, macOS, and Windows and the stealth tactic. Detection engineering should therefore focus on host-based evidence of timing behavior and deferred execution, especially where process activity, command execution, scheduled task/job mechanisms, and timestamp patterns indicate execution was intentionally delayed. IR teams should validate timeline construction across longer windows rather than assuming causality only between immediately adjacent events.
Likely telemetry
- Endpoint process creation and command-line telemetry
- Host scheduling artifacts and scheduled task/job records
- Script interpreter activity where timing or sleep behavior may appear
- System time and timestamp metadata relevant to execution sequencing
- Sandbox or malware-analysis execution traces where short observation windows may miss delayed behavior
Detection direction
- Validate whether detections can correlate activity separated by meaningful time gaps, not only near-real-time parent/child chains.
- Review analytics for benign administrative scheduling and automation to reduce false positives while preserving visibility into unusual deferred execution patterns.
- Confirm that Linux, macOS, and Windows telemetry sources are comparable enough to support cross-platform investigation of delayed behavior.
- Test whether sandbox and detonation workflows observe samples long enough to identify time-delayed actions, while recognizing that this ATT&CK object provides no official detection logic.
- Use the relationship to T1678 as context: prioritize evidence of time-based evasion and delayed follow-on execution rather than treating all scheduled activity as suspicious.
Mitigation priorities
- Prioritize telemetry retention and timeline correlation so investigators can reconstruct delayed activity.
- Harden and monitor native scheduling mechanisms according to existing administrative baselines and least-privilege practices.
- Ensure SOC playbooks explicitly account for delayed execution when triaging suspicious files, scripts, or processes.
- Tune detections with local baselines for legitimate automation to avoid excessive noise.
- Review malware-analysis and sandbox procedures for limitations caused by short execution windows.
Analyst notes and limits
This object is a detection strategy for T1678, but the supplied official fields do not include a description, detection text, tactics, or platforms for DET0372 itself. The actionable framing here is derived from its relationship to the Delay Execution technique and that technique’s supplied platform and tactic context.
No active exploitation, threat actor usage, specific data sources, concrete analytic logic, or vendor controls are provided in the supplied STIX fields. Local telemetry, retention, operating-system coverage, and administrative automation baselines are required to determine actual detection coverage.
Multi-Platform Detection Strategy for T1678 - Delay Execution
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1678 | Delay Execution | This object detects Delay Execution. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 63108bf6f160… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0372Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.