Home Network Security
The uncomfortable reality about home network intrusions is that most of them go undetected for a long time. A 2024 IBM Security study found that the average time between initial compromise and detection was 194 days. That's over six months of someone having access to your network without you knowing.
Part of the reason is that modern attacks are designed to be quiet. They don't slow your computer down noticeably, they don't display obvious messages, and they don't do anything that would make you pick up the phone and call your ISP. They just sit there, quietly, doing what they were put there to do.
Knowing what to look for changes this. Here are the warning signs that something may be wrong, and what to do when you spot them.
A device you don't recognize appearing in your router's connected devices list is one of the clearest indicators that someone has gained access to your WiFi.
If your internet usage stats show heavy data transfer when you're not actively using the internet, something on your network may be sending data without your knowledge.
DNS servers you didn't set, new port forwarding rules, or a changed admin password are all indicators that someone has accessed your router's admin interface.
Being sent to unexpected websites when you type familiar addresses, or search results that look slightly off, can indicate DNS hijacking at the router level.
Malware commonly tries to disable security software as one of its first actions. If your Windows Defender turned itself off, that's a serious warning sign.
Check your Windows user accounts periodically. Unauthorized accounts are a sign of a deeper compromise of that specific machine.
Log into your router's admin interface (type your Default Gateway address into a browser). Navigate to the connected devices or DHCP clients section. Write down every device listed. Then go through your home and identify what each one is, phones, laptops, tablets, smart TVs, game consoles, smart speakers, printers, security cameras, smart plugs, and anything else that connects to WiFi.
Any device you cannot account for is worth investigating. Look up the MAC address manufacturer online and compare against what you own. For a full walkthrough of this process, see our guide on how to check what devices are on your home network.
Most routers keep a log of admin login attempts and configuration changes. Look for this in your router's interface under System Log, Security Log, or similar. Login attempts from IP addresses that are not your own devices, or configuration changes at times when you were not using the router, both warrant attention. Pay particular attention to DNS server settings, as attackers who gain router access often change DNS settings first. See our guide on what DNS hijacking is and how to detect it for more detail.
Open Command Prompt as Administrator and run:
netstat -bThis shows every active network connection along with which program on your computer made it. Look for connections from programs you don't recognize, or connections to IP addresses in unusual countries. You can look up any IP address at ipinfo.io to see where it is located and who owns it.
Windows keeps detailed security logs that record login attempts, account changes, and system modifications. To access them:
eventvwrA large number of Event 4625 entries can indicate a brute force attack attempt. Any Event 4720 entries you didn't create yourself need immediate investigation.
If you find strong evidence of a compromise, an unauthorized user account, a changed router password, or a device actively sending data to an unknown server, disconnect from the internet immediately and call your ISP before taking any other steps.
Windows Defender is capable antivirus software for most users and it's free and built in. Open it from the Start menu and run a full scan, not a quick scan. A full scan checks every file on your computer and takes longer but is thorough.
Open Task Manager (Ctrl + Shift + Esc) and look through the Processes and Details tabs. Right click on anything unfamiliar and search online for its name. Legitimate Windows processes are well documented. Anything that shows up in searches as potentially malicious should be investigated further.
Malware typically adds itself to startup so it runs every time you boot the computer. In Task Manager, click the Startup tab to see everything that runs when Windows starts. Disable anything you don't recognize and research it before re-enabling.
If you find clear evidence of a compromise, here is the response sequence in order:
After a compromise: Monitor your financial accounts and credit reports for unusual activity over the following few months. If any banking credentials were potentially exposed, contact your bank directly.
Checking for all of these signs manually on a regular basis is time consuming. SentinelHome101 automates most of it, it scans for unauthorized devices, checks for ARP spoofing and rogue DHCP servers that indicate active attacks, monitors ransomware canary files for tampering, analyzes outbound connection volume for botnet-like behavior, and checks your Windows security configuration for signs of tampering.
Running it once a week takes about 30 seconds on the quick scan setting and gives you a snapshot of your network's security status that would otherwise take an hour to assemble manually.
SentinelHome101 checks for unauthorized devices, botnet behavior, ARP spoofing, and 98 other indicators. Free for Windows.
Download Free