Skip to content

Karib0u/rustinel

BranchesTags

Repository files navigation

Rustinel logo

Rustinel

Open-source endpoint detection for Windows, Linux, and macOS

CI Latest release Downloads Stars
Platform Windows ETW Platform Linux eBPF Platform macOS ESF Docs License

Official site · Documentation · Latest Release · SIEM demos

Rustinel is an open-source endpoint detection project for Windows, Linux, and macOS.

It collects native host telemetry using ETW on Windows, eBPF on Linux, and Endpoint Security plus /dev/bpf on macOS, normalizes events into a shared model, evaluates Sigma, YARA, and IOC detections, writes ECS NDJSON alerts, and can optionally terminate malicious processes.

The goal is simple: give blue teams, researchers, and detection engineers a transparent endpoint detection engine they can inspect, run, test, and extend.

Rustinel Demo

Try the latest release

Use this path if you want to see a first alert quickly. The release archives include config.toml, bundled demo rules, IOC files, and an empty logs/ directory.

Linux

curl -fsSL https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.sh | sh -s -- --run

Prefer to inspect first:

curl -fsSLO https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.sh
less install.sh
sh install.sh --run

Windows

Run from an elevated PowerShell:

Invoke-WebRequest https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.ps1 -OutFile install-rustinel.ps1
powershell -ExecutionPolicy Bypass -File .\install-rustinel.ps1 -Run

Then trigger the bundled demo rule:

Linux:   whoami
Windows: whoami /all

Alerts are written to logs/alerts.json.<date>. To ingest them locally, use the Elastic and Splunk demos.

The install scripts only install published release binaries. They do not install Rust, Cargo, or build from source. If your OS or architecture has no release asset, they exit with a link to the source build path.

Prefer manual downloads? Use the latest GitHub Release.

Why Rustinel exists

Rustinel was created because there was a real gap in the open-source endpoint detection space.

The project aims to combine:

  • Native Windows telemetry through ETW
  • Native Linux telemetry through eBPF
  • A single cross-platform detection pipeline
  • Support for community detection formats like Sigma and YARA
  • IOC matching for hashes, IPs, domains, and path regexes
  • ECS NDJSON alert output for SIEM-friendly ingestion
  • A performant, memory-safe implementation in Rust

Some tools solve parts of this problem, but Rustinel brings these pieces together in one transparent and extensible agent.

Rustinel is not trying to hide behind a black box. The project is designed so defenders can understand exactly what telemetry is collected, how detections are evaluated, and where the current limits are.

What Rustinel does today

Rustinel currently provides:

  • Windows telemetry collection through ETW
  • Linux telemetry collection through eBPF
  • macOS telemetry collection through Endpoint Security and /dev/bpf
  • A shared event model across supported platforms
  • Sigma rule evaluation on normalized events
  • YARA scanning on process creation
  • IOC matching for file hashes, IPs, domains, and path regexes
  • ECS NDJSON alert output
  • Hot reload for rules and indicator files
  • Optional active response with dry-run and allowlists
  • Windows service support
  • Linux foreground execution under root or a supervisor of your choice
  • macOS foreground execution under root, or a launchd daemon

Architecture

Windows hosts        Linux hosts        macOS hosts
   ETW                  eBPF             ESF + /dev/bpf
    |                    |                    |
    +--------------------+--------------------+
                    |
          Normalized event model
                    |
        +-----------+-----------+
        |           |           |
      Sigma        YARA        IOC
   behavior     process      hashes,
   rules        creation     IPs,
                scanning     domains,
                             path regexes
        |           |           |
        +-----------+-----------+
                    |
             ECS NDJSON alerts
                    |
          Optional active response

Detection model

Rustinel combines three detection layers.

Sigma

Sigma is used for behavioral detections on normalized endpoint events.

Examples include:

  • Suspicious PowerShell activity
  • WMI execution
  • Service creation
  • Scheduled task creation
  • Suspicious process execution
  • Linux process, network, file, and DNS query activity

Sigma support makes Rustinel practical for detection engineers because existing community rules can be reused and adapted instead of being rewritten into a proprietary format.

YARA

YARA is used for file and tooling detection.

Today, Rustinel scans executables on process creation. This provides a practical high-signal scanning point without trying to behave like a full antivirus engine scanning everything on disk all the time.

YARA memory scanning is also supported, targeting private executable regions to detect packed, obfuscated, or runtime-unpacked payloads.

IOC matching

IOC matching provides fast deterministic checks against:

  • File hashes
  • IP addresses
  • Domains
  • Path regexes

IOC matching is useful for threat intelligence and incident response, but it is strongest when combined with behavioral detections and YARA scanning. Domain IOCs can match DNS QueryName on Windows, Linux, and macOS; Linux covers outbound plaintext DNS queries observed by eBPF, and macOS covers plaintext DNS queries observed via /dev/bpf capture.

Platform support

Platform Sensor Current coverage Runtime model
Windows 10/11, Server 2016+ ETW Process, image load, network, file, registry, DNS, PowerShell, WMI, service, task Foreground run or built-in Windows service commands
Linux 5.8+ with BTF eBPF Process, network, file, DNS Foreground run under root or your supervisor of choice
macOS 11+ Endpoint Security + /dev/bpf Process, file, network, DNS Experimental; foreground run under root (signed/entitled or SIP relaxed) or a launchd daemon

Windows telemetry coverage is broader today. Linux and macOS support currently focus on process, network, file, and DNS telemetry. Linux DNS events include outbound plaintext DNS QueryName; DNS response answers (QueryResults) are not parsed yet. macOS collects process and file events through Endpoint Security and network and DNS through /dev/bpf capture; network events are attributed to a process on a best-effort basis.

macOS support is experimental while the project waits for the required Endpoint Security Framework entitlement.

60-second demo

Download Rustinel, start the agent, trigger a test command, and inspect the generated alert.

Windows

cd .\rustinel-<version>-x86_64-pc-windows-msvc
.\rustinel.exe run
whoami /all
type .\logs\alerts.json.*

Linux

cd rustinel-<version>-x86_64-unknown-linux-musl
sudo ./rustinel run
whoami
cat logs/alerts.json.*

macOS

cd rustinel-<version>-aarch64-apple-darwin
sudo ./rustinel run
whoami
cat logs/alerts.json.*

Creating an Endpoint Security client requires root and the com.apple.developer.endpoint-security.client entitlement on signed, notarized builds. For local testing you can run with SIP/AMFI relaxed. See the development docs for ad-hoc signing steps.

The bundled demo rules are intended to validate that telemetry collection, rule evaluation, and alert output are working.

Quick start

Download the release package for your platform from GitHub Releases and extract it.

Windows

Download:

rustinel-<version>-x86_64-pc-windows-msvc.zip

Extract it, then run:

cd .\rustinel-<version>-x86_64-pc-windows-msvc
.\rustinel.exe run
whoami /all

The bundled Sigma demo rule should write an alert to:

logs/alerts.json.<date>

Linux

Choose the archive that matches your architecture:

rustinel-<version>-x86_64-unknown-linux-musl.tar.gz
rustinel-<version>-aarch64-unknown-linux-musl.tar.gz

Extract and run:

tar xzf rustinel-<version>-x86_64-unknown-linux-musl.tar.gz
cd rustinel-<version>-x86_64-unknown-linux-musl
sudo ./rustinel run
whoami

If startup fails with tracefs not found, mount the tracing filesystems and retry:

mount -t tracefs tracefs /sys/kernel/tracing
mount -t debugfs debugfs /sys/kernel/debug

The bundled Sigma demo rule should write an alert to:

logs/alerts.json.<date>

macOS

Choose the archive that matches your architecture:

rustinel-<version>-aarch64-apple-darwin.tar.gz
rustinel-<version>-x86_64-apple-darwin.tar.gz

Extract and run as root:

tar xzf rustinel-<version>-aarch64-apple-darwin.tar.gz
cd rustinel-<version>-aarch64-apple-darwin
sudo ./rustinel run

If startup fails with NotPrivileged, the Endpoint Security client could not be created: run as root with a signed, entitled build, or relax SIP/AMFI for local testing. A com.rustinel.agent.plist LaunchDaemon is included for persistent deployment.

Build from source

If you prefer to build locally instead of using a published release, use cargo build --release.

Windows

cargo build --release
.\target\release\rustinel.exe run

Linux

cargo build --release
sudo ./target/release/rustinel run

macOS

cargo build --release
codesign --force --sign - \
  --entitlements packaging/macos/rustinel.entitlements \
  target/release/rustinel
sudo ./target/release/rustinel run

Ad-hoc signing with the entitlement only takes effect when SIP/AMFI is relaxed; distributable builds require a Developer ID and notarization.

For full release setup, source-build prerequisites, and validation steps, see the Getting Started documentation.

Output

Rustinel writes operational logs and alerts to disk.

logs/rustinel.log.<date>
logs/alerts.json.<date>

Alert format:

ECS 9.3.0 NDJSON

This makes Rustinel alerts easy to ingest into SIEM and log pipelines.

Best for

Rustinel is currently best suited for:

  • Lab deployments and evaluations
  • Detection engineering
  • Rule development and testing
  • Blue teams that want transparent host telemetry
  • Cross-platform detection research
  • SIEM pipeline testing
  • Learning how ETW, eBPF, Sigma, YARA, and IOCs can fit together

What Rustinel is not

Rustinel is not a full replacement for every capability of a mature commercial EDR.

Today, Rustinel does not try to provide the same kernel-level self-protection, pre-execution blocking, anti-tamper guarantees, or managed response capabilities that commercial EDR products may provide.

A sufficiently privileged attacker may be able to interfere with user-mode components or telemetry sources. Kernel-level threats, telemetry tampering, and heavily obfuscated activity may require additional controls or future Rustinel capabilities.

Rustinel is designed as a transparent open-source detection engine focused on telemetry collection, rule-based detection, alert generation, and research.

Roadmap

Near-term focus is on first-run experience, a curated detection pack, and deployment reliability. Telemetry expansion and advanced EDR capabilities come after the basics are solid.

See the full roadmap for details.

Documentation

Contributing

Contributions, testing, feedback, and detection ideas are welcome. See CONTRIBUTING.md to get started.

License

Apache 2.0. See LICENSE.

About

Open-source cross-platform endpoint detection engine for Windows, macOS, and Linux using ETW, ESF, eBPF, Sigma, YARA, IOCs, and ECS NDJSON alerts.

docs.rustinel.io

Topics

linux rust incident-response etw sysmon siem ebpf sigma yara security-tools linux-security malware-detection blue-team edr threat-detection security-monitoring endpoint-security windows-security detection-engineering endpoint-detection

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

369 stars

Watchers

7 watching

Forks

38 forks
Report repository

Releases 12

Rustinel v1.1.1 Latest
Jun 6, 2026
+ 11 releases

Packages

 
 
 

Contributors

Languages