PSWatcher is PSpanners brother however they work differently.
- PSpanner was designed for people wanting to do a live scan.
- PSWatcher was designed to help monitor network devices.
Setting up PSWatcher
First download the script here: https://github.com/securethelogs/PSWatcher
You will then need to place it on a server or client which will be used to scan your network devices.
Setting the destination
Once you have the script, open it up and set your chosen variables:
If you wish to monitor a single IP, fill in $usesingle. Examples:
- $usesingle = “172.27.0.1”
- $usesingle = “mysite.com”
If you wish to monitor multiple addresses, you will need to create a txt file and add them in. Once done, edit $usetxt. Example:
$usetxt = “C:\IPList\List.xt”
Don’t have values in both as it won’t work.
Setting Scan Type
You can either scan all ports or the most common, shown next to $Portarray
If you set $ScanAll = “True”, then it will run through ports 1…65535.
This will take longer, but it’s up to you. If ports are missing from $Portarray, simply add them in.
Editing The Events
The script will generate an event which can be forwarded to your SIEM using a subscription. Helpful link: https://docs.microsoft.com/en-us/windows/win32/wec/windows-event-collector
You can edit the values to match your requirements. At the minute, the EventID will be 1111 which can be filtered on.
Example if let with defaults:
The script doesn’t need to be ran as admin however the source does need to be able to reach the destination (on the network or internet).
If you wish to run it periodically, I suggest setting up a scheduled task:
I hope you enjoy and it benefits you in some way.
Please feel free to add my on Twitter or contact me with any improvement or feedback.
PSpanner can be found here: https://securethelogs.com/pspanner-network-scanner/