AD Inventory Collection via PowerShell Script and Wazuh Agent

Juan Romero

19-Mar-2025

AD Inventory Collection via PowerShell Script and Wazuh Agent

This guide describes how to collect a machine inventory from AD using PowerShell.

How to Run a PowerShell Script from Task Scheduler?

Requirements: 

• Download the PowerShell script “ad_inventory.ps1” from GitHub: https://raw.githubusercontent.com/socfortress/Wazuh-Rules/refs/heads/main/AD_Inventory/ad_inventory.ps1
• Configure a schduled task as described below in a Windows Domain Controller.
  • This Windows DC MUST have the EDR installed and connecetd to the Wazuh manager.

PowerShell is really a game-changer to automate repetitive or time-consuming processes, isn't it? We have a PowerShell script to generate a report on SharePoint content database size growth – Storage Report; we used to run it on the first day of every month on the SharePoint server to generate the report.
Combining the flexibility of PowerShell with the scheduling capabilities of Task Scheduler opens up a world of possibilities for automating repetitive tasks and running maintenance scripts. You can automate PowerShell scripts with the Windows task scheduler.

To schedule a SharePoint PowerShell script to run in Task Scheduler, ensure you have the necessary PowerShell modules, such as “Microsoft.SharePoint.PowerShell” or PnP.PowerShell is installed on the machine first. Then proceed with the below steps to create a scheduled task for the SharePoint PowerShell script:
Task Scheduler is a built-in utility in Windows that allows you to create and manage automated tasks. These tasks can be triggered based on various criteria, such as a specific time, system startup, or even a particular event. Here is how to run a PowerShell script in the task scheduler:

• Open the Task Scheduler by going to Start Menu >> Administrative Tools >> Task Scheduler.
• From the Actions menu, click on “Create a Basic Task”.

• Please give it a Name and Description. Say: “AD Machine Inventory Collection”.
• On the Triggers tab, select the interval you want to run the program, such as “Daily”, “Weekly”, etc. In our case, select “Daily”.
• In the Action Tab, choose what action you want the task to perform. For our purposes, we'll select the “Start a program” option button. Click Next.

• In the “Start a Program” Tab:
  •  In Program/script, Enter the path of the Windows PowerShell executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • In Arguments, enter the script file path. Say: c:\path\ad_inventory.ps1
  • In “Start in”, Enter the folder path where the script is located. Say “c:\path”

Important: You must specify a value for the Start-in field, even though it's optional. This is because if no value is specified, PowerShell exports the output in the “C:\Windows\System32” directory.

• Select the checkbox “Open the Properties dialog for this task when I click Finish”, and click the Finish button.

• In the properties dialog, under the General tab, ensure that the “Run when user is logged on or not” and “Run with highest privileges” checkboxes are selected to ensure you are running the script with Administrative rights

• Click the “OK” button to get a login prompt. Confirm the User Name and password in which the task runs (preferably a service account with a password never expires flag set) and press enter. The task scheduler will create a new task to run the PowerShell script on given parameters.

What happens next?

The output of the inventory will be formatted yo JSON and appended to the active responses log file in the agent.

The Wazuh manager already has detection rules to classify these events.

Grafana, under the EDR Dashboards section, “EDR – AD INVENTORY”, will display the inventory collected.