From ab0ec432dfc9cc5660b15fed521006f547ae20c2 Mon Sep 17 00:00:00 2001
From: taylor_socfortress <111797488+taylorwalton@users.noreply.github.com>
Date: Wed, 19 Mar 2025 09:08:53 -0500
Subject: [PATCH] Create ad_inventory.ps1

---
 AD_Inventory/ad_inventory.ps1 | 53 +++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 AD_Inventory/ad_inventory.ps1

diff --git a/AD_Inventory/ad_inventory.ps1 b/AD_Inventory/ad_inventory.ps1
new file mode 100644
index 0000000..a71e6ed
--- /dev/null
+++ b/AD_Inventory/ad_inventory.ps1
@@ -0,0 +1,53 @@
+################################
+### Script to Obtain AD Machines Inventory.
+### Asset Criticality Assigned based on Machine Type / Role.
+### SOCFortress
+### https://www.socfortress.co
+### info@socfortress.co
+################################
+# Define Asset Criticality by Machine Type/Role (Criticality = 0 - 15)
+$domain_controller_criticality = 13
+$member_server_criticality = 8
+$workstation_criticality = 5
+# Wait time between loop execution. Avoid filling up Wazuh agent queue.
+$wait_time = 0.2
+#Write inventory output to Active Response File
+Function WriteLogFile ([String]$LogFileText)
+{
+echo  $computer_json | Out-File -width 2000 C:\"Program Files (x86)"\ossec-agent\active-response\active-responses.log -Append -Encoding ascii
+}
+# Get the current computer's domain name
+$domainName = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
+# List all domain controllers in the domain
+$domain_controllers = @(Get-ADDomainController -Filter * -Server $domainName | Select-Object Name)
+# Retrieve computer objects from Active Directory
+$computers = Get-ADComputer -Filter "Enabled -eq 'True'" -Properties * | select Name, CN, Created, DistinguishedName, DNSHostName, LastLogonDate, Location, LockedOut, MemberOf, Modified, ObjectCategory, ObjectClass, OperatingSystem, OperatingSystemVersion, PrimaryGroup
+# Loop thru Computers
+foreach ($computer in $computers) {
+#Add a normalised field for the Machine Name
+    $computer | Add-Member -MemberType NoteProperty -Name "machine_name" -Value $computer.Name
+#Assign asset criticality based on machine type/role
+###Windows Domain Controllers
+
+    if ($domain_controllers.Name -contains $computer.Name) {
+        $computer | Add-Member -MemberType NoteProperty -Name "asset_criticality" -Value "$domain_controller_criticality"
+        $computer | Add-Member -MemberType NoteProperty -Name "collection" -Value "ad_inventory"
+        $computer_json = $computer | ConvertTo-Json -Depth 1 -Compress
+        WriteLogFile -LogFileText $computer_json
+    }
+###Member Servers
+    elseif ($computerOperatingSystem -like "*Server*" -and $domain_controllers.Name -notcontains $computer.Name) {
+        $computer | Add-Member -MemberType NoteProperty -Name "asset_criticality" -Value "$member_server_criticality"
+                $computer | Add-Member -MemberType NoteProperty -Name "collection" -Value "ad_inventory"
+        $computer_json = $computer | ConvertTo-Json -Depth 1 -Compress
+        WriteLogFile -LogFileText $computer_json
+    }
+###Workstations
+    else {
+        $computer | Add-Member -MemberType NoteProperty -Name "asset_criticality" -Value "$workstation_criticality"
+                $computer | Add-Member -MemberType NoteProperty -Name "collection" -Value "ad_inventory"
+        $computer_json = $computer | ConvertTo-Json -Depth 1 -Compress
+        WriteLogFile -LogFileText $computer_json
+    }
+    Start-Sleep -Seconds $wait_time
+}