HANDS-ON LAB

Lab: Monitor & Manage System Resources

Resource Monitor, Performance Monitor & PowerShell for Security Analysis

Duration
45-60 min
Difficulty
Intermediate
Environment
Windows 10/11

Lab Objectives

After completing this lab, you will be able to:

Windows Monitoring Tools Overview

Task Manager

Quick overview of running processes and basic resource usage

Resource Monitor

Detailed real-time CPU, memory, disk, and network per process

Performance Monitor

Historical data collection and custom performance counters

PowerShell

Scriptable queries and automation for monitoring

Lab Progress

0 of 5 tasks completed

1

Resource Monitor Deep Dive

Pending

Resource Monitor (resmon) provides more detailed information than Task Manager, including per-process network connections and disk activity.

Opening Resource Monitor

Win + R → resmon → Enter

Or: Task Manager → Performance tab → "Open Resource Monitor" link

Key Tabs to Explore

Tab Security Use Case
Overview Quick glance at all resources with expandable sections
CPU See which processes have high CPU and their associated services
Memory Identify memory leaks and processes with large working sets
Disk Detect unusual file I/O (ransomware encrypting files)
Network See active connections per process with remote IPs
Security Focus: Network Tab

The Network tab shows exactly which processes are connecting to which remote IP addresses. This is invaluable for detecting:

  • C2 (Command & Control) beacons
  • Data exfiltration to unknown IPs
  • Processes that shouldn't be making network connections

Lab Question 1

Open the Network tab in Resource Monitor. List one process that has active network connections, including the remote IP address it's connecting to.

I explored all tabs in Resource Monitor and identified network connections by process
2

Performance Monitor Basics

Pending

Performance Monitor (perfmon) allows you to track system metrics over time and create alerts - essential for establishing baselines and detecting anomalies.

Opening Performance Monitor

Win + R → perfmon → Enter

Adding Performance Counters

  1. In Performance Monitor, click the green + button
  2. Select counters from these categories:
    • Processor → % Processor Time
    • Memory → Available MBytes
    • PhysicalDisk → Disk Read Bytes/sec
    • Network Interface → Bytes Total/sec
  3. Click Add, then OK
SOC Baseline Tip: Document normal performance ranges during quiet periods. When investigating an incident, compare current values against your baseline to identify anomalies.

Key Security Counters

Counter Normal Range Suspicious If...
% Processor Time 0-30% (idle) Sustained 90%+ (cryptominer)
Available MBytes >1000 MB Near 0 (memory exhaustion attack)
Disk Writes/sec Variable Constant high I/O (ransomware)
Network Bytes/sec Variable Sustained upload (exfiltration)
I added CPU, Memory, Disk, and Network counters to Performance Monitor
3

Creating Data Collector Sets

Pending

Data Collector Sets allow you to record performance data over time for later analysis - crucial for detecting patterns that indicate security issues.

Create a Security Monitoring Collector

  1. In Performance Monitor, expand Data Collector Sets
  2. Right-click User Defined → New → Data Collector Set
  3. Name it "Security_Baseline"
  4. Select "Create manually (Advanced)"
  5. Check "Performance counter" → Next
  6. Add these counters:
    • Processor → % Processor Time → _Total
    • Memory → Available MBytes
    • Network Interface → Bytes Sent/sec → [Your adapter]
    • Process → % Processor Time → _Total
  7. Set sample interval to 15 seconds
  8. Finish and save to default location

Running the Collector

  1. Right-click your new collector → Start
  2. Let it run for 2-3 minutes
  3. Right-click → Stop
  4. Expand Reports → User Defined → Security_Baseline to view data
Pro Tip: Schedule collectors to run during business hours to establish a "normal operations" baseline. Compare against this during incident investigation.

Lab Question 2

After running your collector for 2 minutes, what was the average % Processor Time?

I created, ran, and viewed results from a Data Collector Set
4

PowerShell Resource Queries

Pending

PowerShell provides scriptable access to system resources, enabling automated monitoring and alerting.

Open PowerShell as Administrator

Win + X → Windows PowerShell (Admin)

Essential Monitoring Commands

Get CPU Usage:

Get-Counter '\Processor(_Total)\% Processor Time'

Get Memory Info:

Get-Counter '\Memory\Available MBytes'

Get Top CPU Processes:

Get-Process | Sort-Object CPU -Descending | Select-Object -First 10 Name,CPU,Id

Get Network Connections by Process:

Get-NetTCPConnection | Where-Object {$_.State -eq 'Established'} | Select-Object LocalAddress,LocalPort,RemoteAddress,RemotePort,OwningProcess
PS C:\> Get-Process | Sort-Object CPU -Descending | Select -First 5 Name,CPU,Id

Name CPU Id
---- --- --
chrome 245.67 12456
MsMpEng 89.23 4532
explorer 34.56 2876
svchost 28.91 1204
dwm 15.44 980
Security Investigation Command:

Find processes with network connections to external IPs:

Get-NetTCPConnection | Where-Object {$_.RemoteAddress -notlike '127.*' -and $_.RemoteAddress -notlike '192.168.*' -and $_.RemoteAddress -notlike '10.*'} | ForEach-Object { $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue; [PSCustomObject]@{Process=$proc.Name; RemoteIP=$_.RemoteAddress; Port=$_.RemotePort} }

Lab Question 3

Run the "Top CPU Processes" command. What are the top 3 processes by CPU usage on your system?

I ran PowerShell commands to query CPU, memory, processes, and network connections
5

Build a Security Monitoring Script

Pending

Combine your knowledge into a reusable security monitoring script.

Security Snapshot Script

Copy this script to a .ps1 file and run it during incident response:

# Security_Snapshot.ps1 # Quick security status check for incident response Write-Host "=== SECURITY SNAPSHOT ===" -ForegroundColor Cyan Write-Host "Generated: $(Get-Date)" -ForegroundColor Gray Write-Host "" # High CPU Processes Write-Host "--- TOP CPU CONSUMERS ---" -ForegroundColor Yellow Get-Process | Sort-Object CPU -Desc | Select -First 5 Name,CPU,Id | Format-Table # Memory Status Write-Host "--- MEMORY STATUS ---" -ForegroundColor Yellow $mem = Get-Counter '\Memory\Available MBytes' Write-Host "Available Memory: $($mem.CounterSamples.CookedValue) MB" # External Network Connections Write-Host "`n--- EXTERNAL CONNECTIONS ---" -ForegroundColor Yellow Get-NetTCPConnection | Where-Object { $_.State -eq 'Established' -and $_.RemoteAddress -notmatch '^(127\.|192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.)' } | ForEach-Object { $proc = Get-Process -Id $_.OwningProcess -EA SilentlyContinue [PSCustomObject]@{ Process = $proc.Name PID = $_.OwningProcess RemoteIP = $_.RemoteAddress Port = $_.RemotePort } } | Format-Table # Listening Ports Write-Host "--- LISTENING PORTS ---" -ForegroundColor Yellow Get-NetTCPConnection -State Listen | Select LocalPort,OwningProcess | Sort LocalPort | Format-Table Write-Host "=== END SNAPSHOT ===" -ForegroundColor Cyan
Usage Tip: Save this script as Security_Snapshot.ps1 and add it to your incident response toolkit. Run it immediately when investigating a potentially compromised system.

Lab Question 4

Run the Security Snapshot script. How many external (non-local) network connections are currently established?

I created and ran the Security Snapshot script
I understand how to use these tools for incident response triage