Selcouth Cyber Security Services Private Limited

Too Sticky for a Note

Data-Exfil + InfoSec + Red Teaming acc3ssp0int todayOctober 16, 2020 15

share close

Hello everyone, A little over a week ago, we discussed about how we can leverage the saved state of deleted file left in the recycle bin and grab it for content in a data exfiltration scenario. You can read more about it here.

Today, I want to share with you yet another data exfiltration possibility. It started in the usual way, me, listening to music, starting at my monitors, when I realized that just like notepad++, or deleted files in recycle bin, that sticky notes also save data which I can see anytime at my convenience.

So I went scouring the internet for information as to where this data would be stored and after reading a couple of posts I found two interesting things.

  1. The content of a Sticky Note is in clear text but in between gibberish when the file is read directly on PowerShell (you’ll see that in a bit.)
  2. The paths and filenames are completely different after a certain windows 10 version.

Addressing the second point first, the paths are as follows:

  1. In Windows 10 Version 1511 and earlier:
    • Filename: stickynotes.snt
    • Path: C:\Users\<username>\AppData\Roaming\Microsoft\Sticky Notes\
  2. In Windows 10 Anniversary Update Version 1607 and later:
    • Filename: plum.sqlite
    • Path: C:\Users\<username>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState

Since my Windows version is after version 1607 (Windows 10 Buld 18362 to be precise) I found my file at the path mentioned in 2.

A simple Get-Content to the file plum-sqlite files produced a lot of information. This is where you need to do a death gaze to the content to actually see the clear text data.

A multi-line note looked much better and clean when the plum-sqlite file was opened.

Deleted content? no problem, that’s there too!

Also, going through the contents of the file, I saw that not only the content entry is saved to the file, but also the updates of the data as you go on typing the note.

For the red-teamer, this is a really interesting way to get information about the user’s content and things they interact with, if you’re lucky you maybe even find passwords.

That’s all for this post.

Thanks for Reading!


Written by: acc3ssp0int

Rate it
Previous post

Data-Exfil acc3ssp0int / October 7, 2020

“Bin” There, Exfilled That

Hello everyone. Today, I want to share with you another data exfiltration possibility. The last time, we discussed about how we can leverage the saved state of “temporary” files created by modern day editors, you can read about it here, [...]

Similar posts

Active Directory acc3ssp0int / May 28, 2021

Kerberos Part 1: How it Works

Today we start with a new series of blog posts, namely, active directory components. In this three part series on Kerberos, we’ll be talking about it’s three heads: Part 1: What Kerberos is and how it works? Part 2: The notorious techniques of kerberoasting and ticketing attacks (golden and silver tickets) Part 3: Attempting to ...

Read more trending_flat

AppSec w1r3sh65rk / February 22, 2021

Secure Code Review – Part One

Before we travel through the Secure code review in SDLC phase. Let us first understand what is Secure Coding, why it should be the part of early phase of SDLC, importance and best practices, available tools. Security Code Review: A secure code review is a part of the code review process to identify missing best ...

Read more trending_flat

Post comments (0)

Leave a reply