Open-source endpoint detection has long been split between Windows-focused tools built around Sysmon and Linux tools built around eBPF or auditd. Defenders running mixed environments have had to stitch together separate pipelines, separate rule sets, and separate maintenance burdens. Rustinel, a Rust-based endpoint agent, is an attempt to collapse that work into a single codebase.
A single agent across two operating systems
Rustinel collects telemetry through ETW on Windows and eBPF on Linux, normalizes the events into a shared model, and evaluates them against Sigma rules, YARA signatures, and atomic indicators of compromise. Alerts are written to disk as ECS-compatible NDJSON, a format that is easy to ship, parse, and integrate into SIEM or log-analysis pipelines such as Elastic or Splunk.
Windows coverage spans process creation, image load, network, file, registry, DNS, PowerShell, WMI, service, and scheduled task events. Linux coverage currently includes process, network, file, and DNS telemetry. According to the project, Windows coverage remains broader for now, with Linux eBPF support continuing to expand.
The agent runs in user mode on both platforms. On Windows it can be installed as a service. On Linux it requires kernel 5.8 or newer with BTF support and runs under root or a supervisor of the operator’s choice. Active response is optional and can be set to dry-run, with allowlists that exempt trusted paths.
A user-mode design choice
Most commercial EDR products ship a kernel driver to obtain early visibility and tamper resistance. Rustinel takes a different path. Author Théo Foucher said the choice was deliberate.
“Most commercial EDRs rely on a kernel driver for good reasons: tamper resistance, early visibility, and the ability to observe or block some activity before user-mode components see it. With Rustinel, I made a different design choice: stay as simple, transparent, and stable as possible while still collecting useful host telemetry,” Foucher told Help Net Security.
He acknowledged the limits of that decision. A user-mode agent cannot match a kernel driver for tamper resistance or deep kernel visibility, and Rustinel is not designed to stop kernel-mode rootkits or defend against a privileged attacker who can disable telemetry. The benefit, he argued, is operational: a bug in a user-mode process is far less likely to crash a host than a bug in kernel space, and Rust’s memory safety removes entire classes of defects by default.
Foucher also pointed to the limits of kernel-based protection itself. “BYOVD techniques and other driver-abuse attacks have demonstrated that even mature commercial EDRs can be attacked through the kernel path,” he said.
Three detection layers
Rustinel runs three detection engines in parallel. Sigma handles behavioral matching against the normalized event stream. YARA scans executables on process creation. The IOC engine performs deterministic checks for known hashes, IP ranges, domains, and path patterns.
Foucher said the combination was chosen so defenders could reuse content they already maintain. “I arrived at Sigma, YARA, and IOC matching because they solve different parts of the detection problem and they are already widely understood by defenders.”
He was direct about coverage gaps. Memory-only payloads, heavily obfuscated living-off-the-land activity, novel behavior outside existing Sigma rules, and telemetry-tampering techniques sit outside what the agent currently catches. Encrypted command-and-control over trusted infrastructure can also evade IOC matching unless surrounding behavior triggers a rule. Memory scanning with YARA is in active development to improve coverage against packed and runtime-unpacked payloads.
Rustinel is available for free on GitHub under the Apache 2.0 license.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!
