Red Team Enumeration: A corner rarely explored

Mohammed Danish
Jan 27 · 2 min read

When it comes to Physical Access to workstations with adversarial or offensive mindset in today’s World, there is still a possibility that the attacker/malicious user may find “Handwritten Yellow Sticky Notes” on the desk or workstation containing sensitive information, To-Do list, some IP Addresses OR may be Passwords……….???

But think like a System Admin managing multiple Systems with different and complex passwords for each account OR an Admin user having multiple accounts with different level of privileges. He/She will surely not write sensitive information and put it on the workstation or desk.

What about Windows Sticky Notes??

In corporate environments, almost everyone uses Windows Sticky Notes for maintaining a To-Do list, or eventually putting sensitive information in Sticky Notes.

If a system is compromised already, a Red Teamer enumerates Domain, gets information about Users, Trusts, Groups, ACLs, Account Privileges, Processes and a lotsss of other stuff. . . .

As a Red Team noob, I always missed to check on the sticky notes. Whether the Sticky Notes process is running or not, the notes are still stored on the machine. Why not read it ???

Fortunately, these are stored as plain text in SQLite database file in Windows 10; so it does not take much to read what the user has put there.

For Windows 10:

%localappdata%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

For Windows 7:

%appdata%\Microsoft\Sticky Notes\

Here is the dirty little Powershell script to add to your Enumeration Arsenal which will help you read the Sticky Notes from the compromised Windows 10 hosts.

You can download the script here:

The script makes use of two DLLs from:

https://system.data.sqlite.org/index.html/doc/trunk/www/downloads.wiki

1. System.Data.SQLite.dll

2. SQLite.Interop.dll

Following is the raw output of the script, each sticky note entry is displayed with prefix \id=xxxxxxxxxxx

Enumerate Enumerate & Enumerate ;)

Mohammed Danish

Written by

A newbie in Offensive Security and Penetration Testing, have done OSCP, now learning and moving towards Red Teaming and Advanced Threat Tectics.

More From Medium

Related reads

Related reads

1.1K

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade