Thiago Teixeira
EN | PT

ps / top

POSIX process listing utilities — first line of triage on any Unix host.

Endpoint Analysis Built-in OS CLI Practiced in lab Linux macOS

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

The POSIX duo for process inspection — available on every Unix-like system without installation:

  • ps — snapshot of processes at a point in time. Classic invocations: ps aux, ps -ef, ps -eo pid,ppid,user,cmd.
  • top — interactive, refresh-every-N-seconds view of CPU and memory. Universal across distributions, even in stripped-down containers.

An analyst pairs these with lsof -i, ss -tulpan, and /proc/<pid>/ (cwd, exe, fd, environ, status) for full process context.

Use cases

  • Live triage on a Linux server during an incident
  • Finding the parent of a suspicious process
  • Identifying a process holding a deleted file open

Example

ps -eo pid,ppid,user,etime,cmd --sort=-etime | head -20
sudo lsof -i :443
sudo ss -tulpan