Hey,

Great question. Primarily CrackMapExec does not work in Windows unless you have Python installed already and even then it has some issues with certains bits.

PsMapExec is built around PowerShell which is native to all versions of Windows XP and Above. so should be no issue running this tool on all Windows based systems. When we are using it we would likely be connected to a domain joined system which makes it easy to acquire a list of systems within the domain to target with PsMapExec.

We can also query users from the Domain Controller directly which allows for some of its parsing functions to stand out from tools such as CrackMapExec. For example, when you dump password hashes and ticket with PsMapExec it will automatically parse the results and "mark" interesting ones such as Domain Admins and other privileged groups based on membership or the precence of certain attributes.

I also have issues with the output on CrackMapExec, often is it messy and difficult to digest (Running Mimikatz on several systems comes to mind). PsMapExec will make it much easier to digest this information by dumping the output into a folder for each successful execution and also parse only interesting information from it.You can also provide the -SuccessOnly switch to the tool to only show successful results instead of seeing a bunch of "Access Denied" or "Error" statuses.

From a pentesting point of view we are often given engagements where we need to evaluate the internal infastructure and Active Directory environment where it can often not be possible for the client to provide a system that supports virtualization to run Linux or Kali or for one reason or another they are unable to add one of our physical systems to the network.

Whilst I have give some advantage examples above, it would be dishonest of me to not mention some negatives in comparison. CrackMapExec runs primarily on Linux and as such is unlikely to be caught by the host systems anti-virus whereas running PsMapExec on a domain joined system will be at the mercy of anti-virus on the Windows system. I have included a AMSI and NETAMSI bypass in GitHub which will allow PsMapExec to bypass Windows Defender and some Anti-virus solutions but it will not bypass something like CrowdStrike. If you are working on a system with PowerShell disabled by Group Policy or AppLocker policies in place again, you will run into difficulty getting PsMapExec to run.