Credential Stealer
What is Credential Stealer?
Credential StealerMalware focused specifically on extracting passwords, hashes, and authentication tokens from an infected system or its memory.
A credential stealer is a tool — sometimes a standalone module of a larger info stealer — that targets stored or in-memory secrets such as Windows LSASS process credentials, browser password stores, SSH keys, Wi-Fi passwords, and cached domain credentials. Once extracted, the secrets enable lateral movement, persistence, business email compromise, and credential stuffing. Mimikatz is the archetypal example, often loaded reflectively into memory. Defences include Credential Guard, LSA protection, strong least-privilege, removing local admin rights, FIDO2 keys instead of passwords, EDR with memory-scraping detections, and detection of suspicious access to credential stores.
● Examples
- 01
Mimikatz extracting NTLM hashes from LSASS memory.
- 02
LaZagne pulling passwords from browsers, Wi-Fi, and applications.
● Frequently asked questions
What is Credential Stealer?
Malware focused specifically on extracting passwords, hashes, and authentication tokens from an infected system or its memory. It belongs to the Malware category of cybersecurity.
What does Credential Stealer mean?
Malware focused specifically on extracting passwords, hashes, and authentication tokens from an infected system or its memory.
How do you defend against Credential Stealer?
Defences for Credential Stealer typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Credential Stealer?
Common alternative names include: Password stealer, Credential dumper.