Too Sticky for a Note

Hello everyone, A little over a week ago, we discussed about how we can leverage the saved state of deleted file left in the recycle bin and grab it for content in a data exfiltration scenario. You can read more about it here.

Today, I want to share with you yet another data exfiltration possibility. It started in the usual way, me, listening to music, starting at my monitors, when I realized that just like notepad++, or deleted files in recycle bin, that sticky notes also save data which I can see anytime at my convenience.

So I went scouring the internet for information as to where this data would be stored and after reading a couple of posts I found two interesting things.

  1. The content of a Sticky Note is in clear text but in between gibberish when the file is read directly on PowerShell (you’ll see that in a bit.)
  2. The paths and filenames are completely different after a certain windows 10 version.

Addressing the second point first, the paths are as follows:

  1. In Windows 10 Version 1511 and earlier:
    • Filename: stickynotes.snt
    • Path: C:\Users\<username>\AppData\Roaming\Microsoft\Sticky Notes\
  2. In Windows 10 Anniversary Update Version 1607 and later:
    • Filename: plum.sqlite
    • Path: C:\Users\<username>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState

Since my Windows version is after version 1607 (Windows 10 Buld 18362 to be precise) I found my file at the path mentioned in 2.

A simple Get-Content to the file plum-sqlite files produced a lot of information. This is where you need to do a death gaze to the content to actually see the clear text data.

A multi-line note looked much better and clean when the plum-sqlite file was opened.

Deleted content? no problem, that’s there too!

Also, going through the contents of the file, I saw that not only the content entry is saved to the file, but also the updates of the data as you go on typing the note.

For the red-teamer, this is a really interesting way to get information about the user’s content and things they interact with, if you’re lucky you maybe even find passwords.

That’s all for this post.

Thanks for Reading!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: