When it comes to Physical Access to workstations with adversarial or offensive mindset in today’s World, there is still a possibility that the attacker/malicious user may find “Handwritten Yellow Sticky Notes” on the desk or workstation containing sensitive information, To-Do list, some IP Addresses OR may be Passwords……….???
But think like a System Admin managing multiple Systems with different and complex passwords for each account OR an Admin user having multiple accounts with different level of privileges. He/She will surely not write sensitive information and put it on the workstation or desk.
What about Windows Sticky Notes??
In corporate environments, almost everyone uses Windows Sticky Notes for maintaining a To-Do list, or eventually putting sensitive information in Sticky Notes.
If a system is compromised already, a Red Teamer enumerates Domain, gets information about Users, Trusts, Groups, ACLs, Account Privileges, Processes and a lotsss of other stuff. . . .
As a Red Team noob, I always missed to check on the sticky notes. Whether the Sticky Notes process is running or not, the notes are still stored on the machine. Why not read it ???
Fortunately, these are stored as plain text in SQLite database file in Windows 10; so it does not take much to read what the user has put there.
For Windows 10:
For Windows 7:
Here is the dirty little Powershell script to add to your Enumeration Arsenal which will help you read the Sticky Notes from the compromised Windows 10 hosts.
You can download the script here:
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
The script makes use of two DLLs from:
Following is the raw output of the script, each sticky note entry is displayed with prefix \id=xxxxxxxxxxx
Enumerate Enumerate & Enumerate ;)