From 7bd172f6b6764b22bde4e2b67a42c98049e2937b Mon Sep 17 00:00:00 2001
From: JrGoomer <XTiago11@gmail.com>
Date: Tue, 24 Sep 2024 10:42:42 +0100
Subject: [PATCH] Create T1497.003.yaml (#2941)

* Create T1497.003.yaml

* Update T1497.003.yaml indentation

---------

Co-authored-by: Hare Sudhan <code@0x6c.dev>
---
 atomics/T1497.003/T1497.003.yaml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 atomics/T1497.003/T1497.003.yaml

diff --git a/atomics/T1497.003/T1497.003.yaml b/atomics/T1497.003/T1497.003.yaml
new file mode 100644
index 00000000..0771056c
--- /dev/null
+++ b/atomics/T1497.003/T1497.003.yaml
@@ -0,0 +1,23 @@
+attack_technique: T1497.003
+display_name: 'Time Based Evasion'
+atomic_tests:
+- name: Delay execution with ping
+  description: |
+    Uses the ping command to introduce a delay before executing a malicious payload.
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    evil_command:
+      description: Command to run after the delay
+      type: string
+      default: whoami
+    ping_count:
+      description: Number of ping requests to send (higher counts increase the delay)
+      type: integer
+      default: 250
+  executor:
+    command: |
+        ping -c #{ping_count} 8.8.8.8 > /dev/null
+        #{evil_command}
+    name: sh