What do you need help with?

We are here and ready to help.
Email: servicedesk@socfortress.co

    AD Inventory Collection via PowerShell

    Juan Romero

    10-Sep-2025

    ​AD Inventory Collection via PowerShell

    Script and Wazuh Agent
    This guide describes how to collect a machine inventory from AD using PowerShell.
    How to Run a PowerShell Script from Task Scheduler?
    Requirements:

    • Download the PowerShell script “ad_inventory.ps1” from GitHub: https://raw.githubusercontent.com/socfortress/Wazuh-Rules/refs/heads/main/AD_Inventory/ad_inventory.ps1
    • Configure a schduled task as described below in a Windows Domain Controller. ​
      • This Windows DC MUST have the EDR installed and connecetd to the Wazuh manager.

     

    Scheduled Task

    Task Scheduler is a built-in utility in Windows that allows you to create and manage
    automated tasks. These tasks can be triggered based on various criteria, such as a specific
    time, system startup, or even a particular event.

    PowerShell is really a game-changer to automate repetitive or time-consuming processes,
    Combining the flexibility of PowerShell with the scheduling capabilities of Task Scheduler
    opens up a world of possibilities for automating repetitive tasks and running maintenance
    scripts. You can automate PowerShell scripts with the Windows task scheduler.

    To schedule a SharePoint PowerShell script to run in Task Scheduler, ensure you have the
    necessary PowerShell modules, such as “Microsoft.SharePoint.PowerShell” or
    PnP.PowerShell is installed on the machine first. Then proceed with the below steps to
    create a scheduled task for the SharePoint PowerShell script:​

     

    • Open the Task Scheduler by going to Start Menu >> Administrative Tools >> Task Scheduler.
    • From the Actions menu, click on “Create a Basic Task”.​

    • Please give it a Name and Description. Say: “AD Machine Inventory Collection”.
    • On the Triggers tab, select the interval you want to run the program, such as “Daily”, “Weekly”, etc. In our case, select “Daily”.
    • In the Action Tab, choose what action you want the task to perform. For our purposes, we'll select the “Start a program” option button. Click Next.​

    • In the “Start a Program” Tab: ​
    • In Program/script, Enter the path of the Windows PowerShell executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • In Arguments, enter the script file path. Say: c:\path\ad_inventory.ps1
    • In “Start in”, Enter the folder path where the script is located. Say “c:\path”


    Important: You must specify a value for the Start-in field, even though it's optional. This is because if no value is specified, PowerShell exports the output in the
    “C:\Windows\System32” directory.


    Select the checkbox “Open the Properties dialog for this task when I click Finish”, and click the Finish button.​

     


    In the properties dialog, under the General tab, ensure that the “Run when user is logged on or not” and “Run with highest privileges” checkboxes are selected to ensure you are running the script with Administrative rights

     



    Click the “OK” button to get a login prompt. Confirm the User Name and password in which the task runs (preferably a service account with a password never expires flag set) and press enter. The task scheduler will create a new task to run the PowerShell script on given parameters.

    What happens next?


    The output of the inventory will be formatted yo JSON and appended to the active responses log file in the agent.
    The Wazuh manager already has detection rules to classify these events.
    Grafana, under the EDR Dashboards section, “EDR – AD INVENTORY”, will display the inventory collected.

    Facebook Share Tweet

    Was this article helpfu?

    Yes No

    Thank you for voting

    Comments

    ×
    Select company

    You are related to multiple companies. Please select the company you wish to login as.