PSWatcher: Network Scanner

Image result for powershell logo

PSWatcher is PSpanners brother however they work differently.

  • PSpanner was designed for people wanting to do a live scan.
  • PSWatcher was designed to help monitor network devices.

Setting up PSWatcher

First download the script here: https://github.com/securethelogs/PSWatcher

You will then need to place it on a server or client which will be used to scan your network devices.

Setting the destination

Once you have the script, open it up and set your chosen variables:

If you wish to monitor a single IP, fill in $usesingle. Examples:

  • $usesingle = “172.27.0.1”
  • $usesingle = “mysite.com”

If you wish to monitor multiple addresses, you will need to create a txt file and add them in. Once done, edit $usetxt. Example:

$usetxt = “C:\IPList\List.xt”

Don’t have values in both as it won’t work.

Setting Scan Type

You can either scan all ports or the most common, shown next to $Portarray

If you set $ScanAll = “True”, then it will run through ports 1…65535.

This will take longer, but it’s up to you. If ports are missing from $Portarray, simply add them in.

Editing The Events

The script will generate an event which can be forwarded to your SIEM using a subscription. Helpful link: https://docs.microsoft.com/en-us/windows/win32/wec/windows-event-collector

You can edit the values to match your requirements. At the minute, the EventID will be 1111 which can be filtered on.

Example if let with defaults:

Running PSWatcher

The script doesn’t need to be ran as admin however the source does need to be able to reach the destination (on the network or internet).

If you wish to run it periodically, I suggest setting up a scheduled task:

https://docs.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page

I hope you enjoy and it benefits you in some way.
Please feel free to add my on Twitter or contact me with any improvement or feedback.

PSpanner can be found here: https://securethelogs.com/pspanner-network-scanner/