Post-It Note Passwords

I am often asked how I am able to get a hold of people's passwords. Sometimes the answer is simply guessing. Other times, it is slightly harder.

When on physical engagements, I often will look under a keyboard, in a desk drawer, or on the computer monitor and most of the time there is a Post-It note staring back at me, with the user's password written on it. When I am not physically on-site at a company location, this attack vector is not accessible to me...or is it?

Windows from Windows Vista through Windows 10 have a built-in application called Sticky Notes. Have you ever been on a workstation (either physically or taking screenshots) and seen this?

There it is in all it's beauty, a virtual Post-It note, with juicy information written on it. Often though, only part of the note is shown due to other windows placement, or the application is closed. We want to be able to look for these notes and pull out information when we get on a host.

Luckily, it is not hard at all to get this information. Navigating to the C:\Users\<username>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState directory on Windows 10, we find a plum.sqlite file.

Here I am using PoshC2 ( to download the plum.sqlite file, but you can use whatever means you have available to download this file.

We can then use sqlite3 to dump the database and find all sorts of juicy data! (Of course we could just place on a Windows host in the same directory and open it in the Sticky Notes application as well)

This has been extremely helpful on engagements when attempting to get access to sensitive data or passwords to further access. I think it goes without saying, but while Sticky Notes are extremely useful, make sure not to use to hold any sensitive data!

Popular Posts