Hi, I have read an article at Dark Reading on detecting Indicators of Compromise. The top IoC listed is unusual outbound transmissions. I think she said most infections transmit beacons back to the attacker. How would you go about finding this? I do have a switch with a mirror port, and I think I have a hacked Windows 10 machine running naked with only Kaspersky Total Security.
I believe most home user security tools don't offer this feature. They mostly look for outbound access to known bad IP's. The best you could do is to give only a few apps network access and block all others, including system processes like explorer.exe. Of course malware may inject code into the browser to connect out, and it's not easy to figure out which traffic is legit, even with network monitors.
I think I found what I am looking for. Using WireShark, I could filter packet capture to display only traffic to and from 1 host.. Since I mostly surf on that box, any outgoing traffic would be suspicious.
