There has been an increasing realization of the rise in living off the land (LOTL) attacks where adversaries misuse legitimate system tools, particularly with state-sponsored actors targeting critical infrastructure in the United States. These attacks are difficult to detect because they allow attackers to remain present in a system without the user’s knowledge for an extended period. This thesis establishes an initial baseline specifically for Windows operating systems to measure normal system activity, focusing on CPU usage, memory utilization, and process activity. It particularly examines the use of PowerShell alongside other applications. The findings from this baseline are used to develop detection rules that security tools can integrate to identify anomalies deviating from normal system metrics. Finally, recommendations are made to expand this research by analyzing additional system tools and incorporating network activity into baselines to enhance the detection of these increasingly sophisticated and damaging attacks.