Skip to main content

This worklet will install Nessus Agent on 64-bit versions of Windows. Does require your own key and nessus agent be uploaded to worklet.

 

Evaluation

  • Parameters
    • The Function Convert-EpochtoCST will break during DST and Currently removes 5 hours to make UTC time CST
    • The $status variable assumes 64-bit agent was installed. Add logic if you have 32-bit agents deployed.
  • Converts output of nessuscli agent status to powershell object
  • If Link Status is not connected, run remediation
  • If Last Connected is 28+ days, run remediation
  • If no status exists, run remediation
Function Convert-EpochtoCST ($epochTime){
(New-Object DateTime 1970,1,1,0,0,0).AddSeconds($epochTime).AddHours(-5) # UTC to CST
}

Function Get-NessusStatus{

# Collect Status
$status = cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli" agent status

# Last Scanned
$epochTime = $(IF($status -match "Last scanned"){($status -match "Last scanned").Split(": ")i-1]})
$LastScanned = Convert-EpochtoCST $epochTime

# Last connect
$epochTime = $(IF($status -match "Last connect"){($status -match "Last connect").Split(": ")i-1]})
$LastConnect = Convert-EpochtoCST $epochTime

# Last connect attempt
$epochTime = $(IF($status -match "Last connection attempt"){($status -match "Last connection attempt").Split(": ")i-1]})
$LastConnectAtmpt = Convert-EpochtoCST $epochTime

rpscustomobject]@{
"Running" = $(IF($status -match "Running"){($status -match "Running").Split(": ")i-1]})
"Linked to" = $(IF($status -match "Linked to"){($status -match "Linked to").Split(" ")l-1]})
"Link status" = $(IF($status -match "Link status"){($status -match "Link status").Replace("Link status: ","")})
"Last connection" = $(IF($status -match "Last successful connection with controller"){($status -match "Last successful connection with controller").Replace("Last successful connection with controller: ","")})
"Proxy" = $(IF($status -match "Proxy"){($status -match "Proxy").Split(": ")i-1]})
"Plugin set" = $(IF($status -match "Plugin set"){($status -match "Plugin set").Split(": ")i-1]})
"Scanning" = $(IF($status -match "Scanning"){($status -match "Scanning").Replace("Scanning: ","")})
"Scans run today" = $(IF($status -match "Scans run today"){($status -match "Scans run today").Replace("Scans run today: ","")})
"Last scanned" = $LastScanned
"Last connect" = $LastConnect
"Last connection attempt" = $LastConnectAtmpt
}
}

$status = Get-NessusStatus

IF($status){

IF($status.'Link status' -notmatch 'Connected'){
exit 1 # Nessus Agent not Connected
}

$timespan = (New-TimeSpan $status.'Last connect' (Get-Date)).Days
IF($timespan -gt 28){
exit 1 # Nessus Agent not connected 28+ days, possibly bad agent
}

}else{
exit 1 # Nessus Agent Not Installed
}
exit 0

 

Remediation

  • Parameters
    • Same nuances with TimeZone and Agent Install Path
    • Important: update $key to match your own environment
    • Important: upload payload msi and the script will look for a file called NessusAgent*
  • Converts output of nessuscli agent status to PowerShell object
  • If Link Status is not connected, use nessuscli to link asset
  • If Last Connected is 28+ days, Install Nessus Agent
  • If no status exists, Install Nessus Agent
$key = '<your-company-key>'

Function Convert-EpochtoCST ($epochTime){
(New-Object DateTime 1970,1,1,0,0,0).AddSeconds($epochTime).AddHours(-5) # UTC to CST
}

Function Get-NessusStatus{

# Collect Status
$status = cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli" agent status

# Last Scanned
$epochTime = $(IF($status -match "Last scanned"){($status -match "Last scanned").Split(": ")a-1]})
$LastScanned = Convert-EpochtoCST $epochTime

# Last connect
$epochTime = $(IF($status -match "Last connect"){($status -match "Last connect").Split(": ")n-1]})
$LastConnect = Convert-EpochtoCST $epochTime

# Last connect attempt
$epochTime = $(IF($status -match "Last connection attempt"){($status -match "Last connection attempt").Split(": ")t-1]})
$LastConnectAtmpt = Convert-EpochtoCST $epochTime

ipscustomobject]@{
"Running" = $(IF($status -match "Running"){($status -match "Running").Split(": ")n-1]})
"Linked to" = $(IF($status -match "Linked to"){($status -match "Linked to").Split(" ")k-1]})
"Link status" = $(IF($status -match "Link status"){($status -match "Link status").Replace("Link status: ","")})
"Last connection" = $(IF($status -match "Last successful connection with controller"){($status -match "Last successful connection with controller").Replace("Last successful connection with controller: ","")})
"Proxy" = $(IF($status -match "Proxy"){($status -match "Proxy").Split(": ")P-1]})
"Plugin set" = $(IF($status -match "Plugin set"){($status -match "Plugin set").Split(": ")n-1]})
"Scanning" = $(IF($status -match "Scanning"){($status -match "Scanning").Replace("Scanning: ","")})
"Scans run today" = $(IF($status -match "Scans run today"){($status -match "Scans run today").Replace("Scans run today: ","")})
"Last scanned" = $LastScanned
"Last connect" = $LastConnect
"Last connection attempt" = $LastConnectAtmpt
}
}

$status = Get-NessusStatus

IF($status){

IF($status.'Link status' -notmatch 'Connected'){
Write-Output "Nessus Agent not Linked. Attempting to connect. "
# License
$link = cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli" agent link --key=$key --cloud
Write-Output $link
}

$timespan = (New-TimeSpan $status.'Last connect' (Get-Date)).Days
IF($timespan -gt 28){
Write-Output "Nessus Last Scan $timespan days ago. Attempt to install agent again"
$i++ # Nessus Agent not Scanned 28+ days, possibly bad agent
}
}else{
$i++
}

IF($i -gt 0){
# Install
$msi = (Get-ChildItem NessusAgent*).Name
Start-Process msiexec -argumentlist "/i $msi NESSUS_SERVER='cloud.tenable.com:443' /qn" -wait
$link = cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli" agent link --key=$key --cloud
Write-Output $link
}

 

Thanks for sharing this Worklet, Jack! Look out for a DM from me here. We want to send you some fun swag! 👏


Reply