tpm
dpapi::tpm decrypts TPM PCP key file (Microsoft's TPM Platform Crypto Provider (PCP)). To check if the device has a Trusted Module TPM Chip:
1
PS C:\WINDOWS\system32> get-tpm
2
3
4
TpmPresent : True
5
TpmReady : True
6
ManufacturerId : 1229870147
7
ManufacturerIdTxt : INTC
8
ManufacturerVersion : 11.6
9
ManufacturerVersionFull20 : 11.6.0.1136
10
ManagedAuthLevel : Full
11
OwnerAuth : 5lretp/xjie7kWk1wxmX2DZKSrw=
12
OwnerClearDisabled : True
13
AutoProvisioning : Enabled
14
LockedOut : False
15
LockoutHealTime : 2 hours
16
LockoutCount : 0
17
LockoutMax : 32
18
SelfTest : {}
Copied!
It has the following command line arguments:
  • /in: the TPM PCP key file
  • /password: the password to decrypt the tpm key
  • /masterkey: the masterkey to use for decryption. It can be obtained through sekurlsa::dpapi.
  • /unprotect: display the decryption results on screen
Benjamin has also published a standalone tool called kirandomtpm (C) which is a BCrypt provider to get random bytes from a TPM.
1
mimikatz# dpapi::tpm /unprotect /in:<tpm_file>
Copied!
Last modified 6mo ago
Copy link