dpapi::tpm decrypts TPM PCP key file (Microsoft's TPM Platform Crypto Provider (PCP)). To check if the device has a Trusted Module TPM Chip:

PS C:\WINDOWS\system32> get-tpm

TpmPresent                : True
TpmReady                  : True
ManufacturerId            : 1229870147
ManufacturerIdTxt         : INTC
ManufacturerVersion       : 11.6
ManufacturerVersionFull20 :
ManagedAuthLevel          : Full
OwnerAuth                 : 5lretp/xjie7kWk1wxmX2DZKSrw=
OwnerClearDisabled        : True
AutoProvisioning          : Enabled
LockedOut                 : False
LockoutHealTime           : 2 hours
LockoutCount              : 0
LockoutMax                : 32
SelfTest                  : {}

It has the following command line arguments:

  • /in: the TPM PCP key file

  • /password: the password to decrypt the tpm key

  • /masterkey: the masterkey to use for decryption. It can be obtained through sekurlsa::dpapi.

  • /unprotect: display the decryption results on screen

Benjamin has also published a standalone tool called kirandomtpm (C) which is a BCrypt provider to get random bytes from a TPM.

mimikatz# dpapi::tpm /unprotect /in:<tpm_file>

Last updated