Overview
PsMapExec is a PowerShell-native lateral movement utility built for internal penetration testers who need flexibility, speed, and stealth across Windows environments. Created by The-Viper-One, the tool fills a niche similar to Evil-WinRM and Impacket’s psexec.py, but tailored for scripting-friendly workflows and PowerShell-native persistence. If your red team operations lean on WinRM, SMB, or RDP-based access, PsMapExec is a lightweight yet powerful option worth testing against real networks.
Features
PsMapExec allows you to map and execute PowerShell scripts across a list of target IPs. The utility can take a range of credentials, support token impersonation, and execute modules remotely. It includes integrated modules for:
- SMB enumeration and share mapping
- WinRM-based command execution
- Credential spraying support
- AD user group enumeration
The design is modular and built to allow easy addition of your own PowerShell payloads or operational scripts. This will enable testers to keep their tooling consistent with PowerShell-centric environments, especially when remote C2 channels are limited or heavily monitored.
Use Cases in Internal Engagements
PsMapExec is particularly useful during the lateral movement and privilege escalation stages of a red team or assumed breach assessment. Since many enterprise environments still expose WinRM or SMB internally—with insufficient segmentation—it’s a practical tool to quietly move through the network without deploying external binaries.
It’s also helpful for credential validation. If you’ve harvested credentials during phishing or LSASS dumping and want to verify their scope without alerting EDRs that flag executable-based tooling, PsMapExec gives you a native alternative.
Installation and Usage
The tool comes as a standalone PowerShell script. To run:
Import-Module .\PsMapExec.ps1 Invoke-PsMapExec -TargetList .\targets.txt -Username "domain\user" -Password "Password123" ` -Module "smb_enum" You can build your modules by following the structure in the Modules\ folder. Module execution results are returned in the console, with verbose output options available for debugging or detailed enumeration.
Detection and Blue Team Considerations
Despite being PowerShell-native, PsMapExec generates observable activity on SMB and WinRM ports (TCP 445 and 5985, respectively). Defenders can spot this through:
- Windows Event Logs: look for 4688 (process creation) and 4624 (logon events)
- WinRM logging: track PowerShell Remoting activity and unusual source IPs
- SMB share access: monitor for high-frequency access patterns or failed attempts
PowerShell logging (module, script block, and transcription) should be enabled where possible to surface unusual module use. Integration with Microsoft Defender’s AMSI or Sysmon with rules targeting lateral toolkits may help spot misuse.
Comparison to Other Tools
Compared to CrackMapExec, PsMapExec is lighter and more focused on PowerShell-native contexts. Unlike Evil-WinRM, it allows parallel execution against multiple hosts with a more modular backend. That makes it especially useful for operators running internal assessments from jump boxes or thin clients where installing full C2 kits isn’t feasible.
However, unlike Cobalt Strike or Havoc, it lacks built-in obfuscation or encryption of traffic, so operational use should assume clear-text visibility unless tunnelled or proxied through existing C2 infrastructure.
Red Team Relevance
For red teams that rely on native tooling and “living off the land” principles, PsMapExec bridges the gap between manual WinRM interaction and full C2 deployment. It is beneficial during “assumed breach” scenarios where you start with domain credentials and limited network access, and need to pivot quickly using low-noise techniques.
It also encourages modularity. Each module is effectively a self-contained PowerShell task, which can be versioned, customised, or integrated with other enumeration pipelines. That fits nicely into a modern, agile red team toolkit.
Final Thoughts
PsMapExec isn’t trying to replace large frameworks. Instead, it offers something highly targeted: a fast, native method to execute tasks across internal Windows machines using just PowerShell and credentials. That simplicity makes it a valuable addition to any red team kit, especially in stealth-heavy or segmented engagements.
You can read more or download it here: https://github.com/The-Viper-One/PsMapExec.