System Monitoring

Watch everything. Detect anomalies. Stay invisible.

CLASSIFIED SCENARIO

Counter-intelligence has detected an intrusion at GRANITE SHIELD facility. You've been deployed to monitor the compromised server in real-time. Identify the hostile process consuming resources, track down the rogue operator, and gather intel on their activities - all while remaining undetected yourself. The enemy is watching.

Why System Monitoring Matters

Real-time system monitoring is essential for both offense and defense:

Threat detection - Spot malicious processes, crypto miners, backdoors
Resource tracking - Identify what's consuming CPU, memory, disk
Anomaly detection - Baseline normal behavior, catch deviations
Evasion - Know when admins are watching, avoid high-visibility actions
Forensics - Understand system state at time of compromise

Threat Indicators to Watch

High CPU from unknown processes - Crypto miners, brute forcers
Unusual network connections - C2 beacons, data exfil
Memory spikes - Exploit payloads, RAM scrapers
Disk I/O bursts - Data staging, log wiping
New processes at odd hours - Scheduled malware, cron jobs

Core Monitoring Commands

top

Real-time process monitor. The classic tool for watching CPU, memory, and processes live.

htop

Enhanced top with colors, tree view, and mouse support. Better for visual analysis.

vmstat

Virtual memory statistics. Shows memory, swap, I/O, and CPU at a glance.

🔁

watch

Run any command repeatedly. Perfect for monitoring changes over time.

Command Deep Dive

top - Real-Time Process Monitor

root@granite:# top

top - 14:32:17 up 45 days, 3:21, 2 users, load average: 4.52, 3.18, 1.05
Tasks: 203 total, 3 running, 200 sleeping, 0 stopped, 0 zombie
%Cpu(s): 87.3 us, 4.2 sy, 0.0 ni, 8.1 id, 0.0 wa, 0.4 hi
MiB Mem:  16384.0 total, 2048.5 free, 12288.0 used, 2047.5 buff/cache

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
31337 nobody    20   0 4194304 3.8G   512K R  85.2 23.4  142:17.89 xmrig
 1842 mysql     20   0 1835648 512000  8192 S   2.3  3.1   45:23.12 mysqld
  892 www-data  20   0  256000  64000  4096 S   0.7  0.4    8:42.33 apache2

[ALERT] PID 31337 - Unknown process 'xmrig' consuming 85% CPU!
[INTEL] xmrig = cryptocurrency miner. System compromised.

top Hotkeys

P - Sort by CPU | M - Sort by memory | k - Kill process | u - Filter by user | q - Quit

htop - Enhanced Process Viewer

root@granite:# htop

  CPU[||||||||||||||||||||||||||||||||||||||||90.2%]
  Mem[||||||||||||||||||                  12.0G/16G]
  Swp[                                     0K/2.0G]

  PID USER     PRI  NI  VIRT   RES   SHR S CPU% MEM%   TIME+  Command
31337 nobody    20   0 4.0G  3.8G  512K R 85.2 23.4  2:22:17 /tmp/.hidden/xmrig -o pool.evil.net
 1842 mysql     20   0 1.8G  500M 8192K S  2.3  3.1    45:23 /usr/sbin/mysqld
  422 root      20   0  28M  5.1M 3.2MK S  0.3  0.0     0:42 /usr/sbin/sshd -D

[DETAIL] Full command line visible - connecting to pool.evil.net
[VECTOR] Miner hidden in /tmp/.hidden/ directory

vmstat - System Statistics

root@granite:# vmstat 2 5     # Every 2 seconds, 5 times

procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----
 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
 3  0      0 2097152 262144 524288    0    0    12   156  892 1245 87  4  8  0  1
 3  0      0 2088960 262144 524288    0    0     0   128  912 1312 89  3  7  0  1
 4  0      0 2080768 262144 524288    0    0     0   112  945 1356 91  2  6  0  1

[ANALYSIS] 'r' column shows 3-4 runnable processes
[ALERT] 'us' (user CPU) consistently at 87-91% - abnormal!

watch - Repeat Commands

# Monitor network connections every 2 seconds
root@granite:# watch -n 2 'ss -tunapl | grep ESTAB'

Every 2.0s: ss -tunapl | grep ESTAB

ESTAB  0  0  192.168.1.50:22    10.0.0.5:54321    users:(("sshd",pid=422))
ESTAB  0  0  192.168.1.50:45678 185.243.115.84:3333 users:(("xmrig",pid=31337))
ESTAB  0  0  192.168.1.50:3306  192.168.1.100:52341 users:(("mysqld",pid=1842))

[DETECTED] Outbound connection to 185.243.115.84:3333 (mining pool!)
[C2] This is the miner's command & control connection

Quick Reference

Command	Purpose	Key Options
`top`	Real-time process view	P (CPU), M (mem), k (kill), u (user)
`htop`	Enhanced top	F5 (tree), F9 (kill), F6 (sort)
`vmstat 2`	Memory/CPU stats	Interval in seconds
`watch -n 2 cmd`	Repeat command	-n (interval), -d (highlight changes)
`free -h`	Memory usage	-h (human readable)
`uptime`	Load averages	1, 5, 15 minute averages

Threat Hunting Workflow

# === STANDARD THREAT HUNT SEQUENCE ===

# 1. Check system load
root@granite:# uptime
 14:32:17 up 45 days, load average: 4.52, 3.18, 1.05

# 2. Identify CPU hogs
root@granite:# ps aux --sort=-%cpu | head -5

# 3. Check memory consumers
root@granite:# ps aux --sort=-%mem | head -5

# 4. Watch for anomalies in real-time
root@granite:# top -b -n 1 | head -20

# 5. Track network connections
root@granite:# ss -tunapl | grep ESTAB

# 6. Continuous monitoring
root@granite:# watch -n 5 'ps aux --sort=-%cpu | head -5'

[WORKFLOW] Systematic approach catches most threats

Ready to Hunt Threats?

Test your monitoring skills, then investigate the compromised server.

Take the Quiz → Back to Script House

Tier 6: SHADOW AGENT - Security Operations