%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\
In that directory was what looked to be a randomly generated 8 character directory (i.e A821ZSQI) inside of which held a bunch of attachments from my email (not just my inbox).
According to Microsoft KB 817878 this is a “Secure” temp folder which can be identified by a handy dandy registry key (Outlook 2010 referenced, KB has others):
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security
I tested this out with a email that was encrypted. Once the file was opened it landed in the temp directory and stayed there after I closed the email and Outlook.
This is definitely going on the top of my Post-Exploitation click scripts.
Posts
0 comments:
Post a Comment