Thiago Teixeira

EN | PT

RM(

Resource Monitor (resmon)

Microsoft

Built-in Windows tool giving a real-time view of CPU, memory, disk, and network activity per process.

Endpoint Analysis Built-in OS GUI Practiced in lab Windows

Homepage

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Preparation

9 Detection & Analysis

10 Containment, Eradication & Recovery

11 Post-Incident Activity

Description

Resource Monitor (resmon.exe) is the Windows built-in counterpart to Task Manager, but with per-process drill-down across CPU, memory, disk, and network resources. It exposes columns like "Network Send (B/sec)", "Disk Read (B/sec)", and "Listening Ports" that make it useful for spotting beaconing C2 traffic, crypto-mining CPU spikes, or unexpected listeners.

For CySA+ it is one of the first-responder built-in tools for live triage on Windows when nothing else is installed.

Use cases

Live triage of a possibly compromised Windows host
Identifying which process is generating outbound traffic
Spotting unexpected TCP listeners pre-Sysmon
Quick CPU/memory baseline before deeper EDR review

Example

:: Launch Resource Monitor
resmon