htop — CySA+ Tools — Thiago Teixeira

htop

Hisham Muhammad

Interactive, colourised process viewer for Unix — the modern `top` replacement.

Endpoint Analysis Free & Open Source CLI Practiced in lab Linux macOS

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

htop is the interactive, colourised process viewer that replaced top on most analyst workstations. It is keyboard-driven, mouse-aware, and exposes information the original top does not:

Process parent/child tree (F5).
Filter and search (F3 / F4).
Kill a process by selecting and pressing F9.
Per-CPU and per-thread views.
Customisable columns and meters.

Sibling tools worth knowing: atop (records system activity to binary logs for later replay), btop (rich TUI graphs), and glances (cross-platform Python alternative).

Use cases

Interactive live triage during a Linux incident
Spotting CPU/memory hogs in real time
Killing a stuck malicious process during containment

Example

htop -u www-data            # filter by user
htop -p $(pgrep -d, nginx)  # follow specific PIDs