{"id":43263462,"url":"https://github.com/karib0u/rustinel","last_synced_at":"2026-03-04T20:08:28.009Z","repository":{"id":335746158,"uuid":"1146898804","full_name":"Karib0u/rustinel","owner":"Karib0u","description":"Windows EDR agent in Rust. ETW telemetry → Sigma/YARA detection → ECS alerts. User-mode, open-source, high-performance.","archived":false,"fork":false,"pushed_at":"2026-02-04T18:51:46.000Z","size":1072,"stargazers_count":51,"open_issues_count":0,"forks_count":9,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-06T05:46:34.559Z","etag":null,"topics":["blue-team","detection-engineering","edr","endpoint-detection","etw","incident-response","malware-detection","rust","security-tools","siem","sigma","sysmon","threat-detection","windows-security","yara"],"latest_commit_sha":null,"homepage":"https://karib0u.github.io/rustinel/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Karib0u.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"docs/roadmap.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-31T21:27:43.000Z","updated_at":"2026-02-05T17:52:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"01b70d11-cc04-4375-93a7-03eba7f9a9b5","html_url":"https://github.com/Karib0u/rustinel","commit_stats":null,"previous_names":["karib0u/rustinel"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/Karib0u/rustinel","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Karib0u","download_url":"https://codeload.github.com/Karib0u/rustinel/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29179560,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-06T22:12:24.066Z","status":"ssl_error","status_checked_at":"2026-02-06T22:12:09.859Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blue-team","detection-engineering","edr","endpoint-detection","etw","incident-response","malware-detection","rust","security-tools","siem","sigma","sysmon","threat-detection","windows-security","yara"],"created_at":"2026-02-01T15:00:28.728Z","updated_at":"2026-03-04T20:08:27.988Z","avatar_url":"https://github.com/Karib0u.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Rustinel\n**High-performance, user-mode Windows EDR in Rust**\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://karib0u.github.io/rustinel/\"\u003e\u003cimg src=\"https://img.shields.io/badge/docs-available-brightgreen\" alt=\"Docs\"\u003e\u003c/a\u003e\n  \u003cimg src=\"https://img.shields.io/badge/platform-Windows-blue?logo=windows\" alt=\"Platform Windows\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/language-Rust-orange?logo=rust\" alt=\"Language Rust\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/license-Apache%202.0-green\" alt=\"License\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/status-Alpha-yellow\" alt=\"Status\"\u003e\n\u003c/p\u003e\n\nRustinel is a **high-throughput Windows EDR agent** written in **Rust**. It collects **kernel telemetry via ETW**, normalizes events into a **Sysmon-compatible schema**, detects threats using **Sigma** + **YARA**, and outputs alerts as **ECS NDJSON** for straightforward SIEM ingestion.\n\n\u003e ✅ No kernel driver  \n\u003e ✅ User-mode ETW pipeline  \n\u003e ✅ Sigma behavioral detection, YARA scanning, IOCs detection\n\u003e ✅ Local hot reload for Sigma/YARA/IOC files  \n\u003e ✅ ECS NDJSON alerts + operational logs\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/images/demo.gif\" alt=\"Rustinel Demo\" width=\"900\"\u003e\n\u003c/p\u003e\n\n---\n\n## Why Rustinel?\n\nRustinel is built for defenders who want:\n- **Kernel-grade telemetry** without kernel risk (ETW, user-mode)\n- **Performance under volume** (async pipeline + caching + noise reduction)\n- **Detection compatibility** (Sysmon-style normalization for Sigma)\n- **Operational simplicity** (NDJSON alerts on disk, easy to ship to a SIEM)\n\n---\n\n## What it does\n\nRustinel monitors Windows endpoints by:\n- Collecting kernel events via **ETW** (process, network, file, registry, DNS, PowerShell, WMI, services, tasks)\n- Normalizing ETW events into **Sysmon-compatible** fields\n- Detecting threats using **Sigma rules** and **YARA scanning**\n- Detecting **atomic IOCs** (hashes, IP/CIDR, domains, path regex)\n- Hot-reloading local Sigma/YARA/IOC files without process restart\n- Writing alerts in **ECS NDJSON** format\n\n---\n\n## Key features\n\n- **User-mode only**: no kernel driver required\n- **Dual detection engines**:\n  - **Sigma** for behavioral detection\n  - **YARA** for file scanning on process start\n- **Atomic IOC detection**: hashes, IP/CIDR, domains, path regex\n- **Local hot reload**: Sigma, YARA, and IOC files are reloaded in-place with atomic swaps\n- **Noise reduction**:\n  - keyword filtering at the ETW session\n  - router-level filtering for high-volume network events\n  - optional network connection aggregation\n- **Hot-path optimizations**:\n  - Sigma rules are filtered at load time (`category`/`product`/`service`)\n  - Sigma conditions are transpiled + precompiled at startup and on hot reload\n  - process-context enrichment is attached on alerts, not every event\n- **Enrichment**:\n  - NT → DOS path normalization\n  - PE metadata extraction (OriginalFileName/Product/Description)\n  - parent process correlation\n  - SID → `DOMAIN\\User` resolution\n  - DNS caching and reverse mapping\n- **Windows service support** (install/start/stop/uninstall)\n- **ECS NDJSON alerts** for SIEM ingestion\n- **Optional active response** (dry-run or terminate on critical alerts)\n\n---\n\n## Requirements\n\n- Windows 10/11 or Server 2016+\n- Administrator privileges (ETW + service management)\n- Rust 1.92+ (build from source)\n\n---\n\n## Quick start\n\n\u003e Run from an elevated PowerShell.\n\n**Option 1: Download Release (Recommended)**\n1. Download the latest release from [GitHub Releases](https://github.com/Karib0u/rustinel/releases).\n2. Extract the archive.\n3. Run from an elevated PowerShell:\n   ```powershell\n   .\\rustinel.exe run --console\n   ```\n\n**Option 2: Build from Source**\n\n```powershell\n# Build\ncargo build --release\n\n# Run (console output)\n.\\target\\release\\rustinel.exe run --console\n````\n\nRunning without arguments is equivalent to `rustinel run`.\n\n---\n\n## 2-minute demo\n\n### Sigma demo\n\nThis repo ships with an example rule: `rules/sigma/example_whoami.yml`\n\n1. Start Rustinel (admin shell):\n\n```powershell\ncargo run -- run --console\n```\n\n2. Trigger the rule:\n\n```powershell\nwhoami /all\n```\n\n3. Verify an alert was written:\n\n* `logs/alerts.json.YYYY-MM-DD`\n\n---\n\n### YARA demo\n\nThis repo ships with an example rule: `rules/yara/example_test_string.yar`\n\n1. Build the demo binary:\n\n```powershell\nrustc .\\examples\\yara_demo.rs -o .\\examples\\yara_demo.exe\n```\n\n2. Run it:\n\n```powershell\n.\\examples\\yara_demo.exe\n```\n\n3. Verify an alert includes the rule name:\n\n* `ExampleMarkerString`\n\n**Note:** The demo binary runs in a loop to demonstrate active response. With response enabled and `prevention_enabled = true`, the process will be automatically terminated when the YARA rule triggers (YARA matches are treated as `critical` severity).\n\n---\n\n## Service mode\n\n```powershell\n.\\target\\release\\rustinel.exe service install\n.\\target\\release\\rustinel.exe service start\n.\\target\\release\\rustinel.exe service stop\n.\\target\\release\\rustinel.exe service uninstall\n```\n\n**Notes**\n\n* `service install` registers the *current executable path* — run it from the final location.\n* Config and rules paths resolve from the working directory; for services, prefer absolute paths or env overrides.\n* Service runtime does not receive CLI flags; set log level via `config.toml` or `EDR__LOGGING__LEVEL`.\n\n---\n\n## Configuration\n\nConfiguration precedence:\n\n1. CLI flags (highest, run mode only)\n2. Environment variables\n3. `config.toml`\n4. Built-in defaults\n\nExample `config.toml`:\n\n```toml\n[scanner]\nsigma_enabled = true\nsigma_rules_path = \"rules/sigma\"\nyara_enabled = true\nyara_rules_path = \"rules/yara\"\n\n[reload]\nenabled = true\ndebounce_ms = 2000\n\n[allowlist]\npaths = [\n  \"C:\\\\Windows\\\\\",\n  \"C:\\\\Program Files\\\\\",\n  \"C:\\\\Program Files (x86)\\\\\",\n]\n\n[logging]\nlevel = \"info\"\ndirectory = \"logs\"\nfilename = \"rustinel.log\"\nconsole_output = true\n\n[alerts]\ndirectory = \"logs\"\nfilename = \"alerts.json\"\nmatch_debug = \"off\" # off | summary | full\n\n[response]\nenabled = false\nprevention_enabled = false\nmin_severity = \"critical\"\nchannel_capacity = 128\nallowlist_images = []\n\n[network]\naggregation_enabled = true\naggregation_max_entries = 20000\naggregation_interval_buffer_size = 50\n\n[ioc]\nenabled = true\nhashes_path = \"rules/ioc/hashes.txt\"\nips_path = \"rules/ioc/ips.txt\"\ndomains_path = \"rules/ioc/domains.txt\"\npaths_regex_path = \"rules/ioc/paths_regex.txt\"\ndefault_severity = \"high\"\nmax_file_size_mb = 50\n```\n\n`allowlist.paths` is shared by default across:\n- `response.allowlist_paths`\n- `ioc.hash_allowlist_paths`\n- `scanner.yara_allowlist_paths`\n\nIf a module-specific list is explicitly set, it overrides the shared list for that module only.\n\nMatch debug output:\n1. `alerts.match_debug = \"off\"` disables match details in alerts (default).\n2. `alerts.match_debug = \"summary\"` adds rule condition + matched fields/patterns.\n3. `alerts.match_debug = \"full\"` adds matched values and YARA string snippets.\n\nEnvironment overrides:\n\n```powershell\nset EDR__LOGGING__LEVEL=debug\nset EDR__SCANNER__SIGMA_RULES_PATH=C:\\rules\\sigma\nset EDR__RELOAD__DEBOUNCE_MS=2000\nset EDR__ALLOWLIST__PATHS=[\"C:\\\\Windows\\\\\",\"C:\\\\Program Files\\\\\"]\n# optional module-specific override:\nset EDR__SCANNER__YARA_ALLOWLIST_PATHS=[\"C:\\\\Windows\\\\\",\"D:\\\\Trusted\\\\\"]\n```\n\nCLI override (highest precedence, run mode only):\n\n```powershell\nrustinel run --log-level debug\n```\n\nNote: rule logic evaluation errors are only logged at `warn`, `debug`, or `trace` levels (suppressed at `info`).\n\n### Hot reload\n\n| Option | Default | Description |\n|--------|---------|-------------|\n| `enabled` | `true` | Enable local file-based hot reload for Sigma, YARA, and IOC inputs |\n| `debounce_ms` | `2000` | Debounce window for coalescing burst file changes before rebuild/swap |\n\nNotes:\n- Poll cadence is `max(reload.debounce_ms, 2000ms)`.\n- Empty reload results are rejected for safety (previous compiled engines remain active).\n\n### Active response\n\n| Option | Default | Description |\n|--------|---------|-------------|\n| `enabled` | `false` | Enable active response engine |\n| `prevention_enabled` | `false` | If `false`, logs dry-run actions only |\n| `min_severity` | `critical` | Minimum severity to respond to (Sigma uses rule `level`, YARA is always treated as `critical`) |\n| `channel_capacity` | `128` | Queue size for response tasks (drops on overflow) |\n| `allowlist_images` | `[]` | Image basenames or full paths to skip |\n| `allowlist_paths` | inherits `allowlist.paths` | Prefix paths to skip (case-insensitive). Optional module-specific override |\n\nMore details: `docs/active-response.md`.\n\n### Atomic IOC detection\n\n| Option | Default | Description |\n|--------|---------|-------------|\n| `enabled` | `true` | Enable atomic IOC detection |\n| `hashes_path` | `rules/ioc/hashes.txt` | Hash IOC file (MD5/SHA1/SHA256) |\n| `ips_path` | `rules/ioc/ips.txt` | IP and CIDR IOC file |\n| `domains_path` | `rules/ioc/domains.txt` | Domain IOC file |\n| `paths_regex_path` | `rules/ioc/paths_regex.txt` | Path/filename regex IOC file |\n| `default_severity` | `high` | Severity assigned to IOC alerts |\n| `max_file_size_mb` | `50` | Skip hashing files larger than this (MB) |\n| `hash_allowlist_paths` | inherits `allowlist.paths` | Prefix paths to skip hashing (case-insensitive). Optional module-specific override |\n\n---\n\n## Rules\n\n### Sigma\n\n* Place `.yml` / `.yaml` files under `rules/sigma/`\n* Rules are compiled at startup and hot-reloaded when files change\n* Supported categories include:\n  `process_creation`, `network_connection`, `file_event`, `registry_event`,\n  `dns_query`, `image_load`, `ps_script`, `wmi_event`, `service_creation`, `task_creation`\n\n### YARA\n\n* Place `.yar` / `.yara` files under `rules/yara/`\n* Rules compile at startup and are hot-reloaded when files change\n* Scans trigger on **process creation** (runs in a background worker)\n* Files under allowlisted path prefixes are skipped (`allowlist.paths` by default or `scanner.yara_allowlist_paths` override)\n\n### Atomic IOCs\n\nPlace indicator files under `rules/ioc/`:\n\n* `hashes.txt` — MD5, SHA1, SHA256 hashes (auto-detected by length)\n* `ips.txt` — IP addresses and CIDR ranges\n* `domains.txt` — exact domains or `*.`/`.` prefix for suffix matching\n* `paths_regex.txt` — case-insensitive regexes matched against file paths\n\nHash checking runs in a dedicated background worker on process creation. Files under allowlisted paths (shared `allowlist.paths` by default, or `ioc.hash_allowlist_paths` override) and files exceeding `max_file_size_mb` are skipped automatically. Domain, IP, and path checks run inline with negligible overhead.\nIOC files are also hot-reloaded when they change.\n\n---\n\n## Output\n\nRustinel produces:\n\n* **Operational logs**: `logs/rustinel.log.YYYY-MM-DD`\n* **Security alerts** (ECS NDJSON): `logs/alerts.json.YYYY-MM-DD`\n\nExample alert (one JSON object per line):\n\n```json\n{\n  \"@timestamp\": \"2025-01-15T14:32:10Z\",\n  \"event.kind\": \"alert\",\n  \"event.category\": \"process\",\n  \"event.action\": \"process_creation\",\n  \"rule.name\": \"Whoami Execution\",\n  \"rule.severity\": \"low\",\n  \"rule.engine\": \"Sigma\",\n  \"process.executable\": \"C:\\\\Windows\\\\System32\\\\whoami.exe\",\n  \"process.command_line\": \"whoami /all\",\n  \"user.name\": \"DOMAIN\\\\username\"\n}\n```\n\n---\n\n## Development\n\n```powershell\n# Unit tests\ncargo test\n\n# Format + lint\ncargo fmt\ncargo clippy\n\n# Validate Sigma + YARA rules\ncargo run --bin validate_rules\n```\n\nProject layout (high level):\n\n```text\nsrc/\n├── collector/     # ETW collection + routing\n├── normalizer/    # Sysmon-style normalization + enrichment\n├── engine/        # Sigma engine\n├── scanner/       # YARA scanning worker\n├── ioc/           # Atomic IOC detection (hashes, IPs, domains, paths)\n├── state/         # caches (process/sid/dns/aggregation)\n└── bin/validate_rules.rs\n```\n\n---\n\n## Roadmap\n\nShort roadmap:\n- YARA expansion (memory scanning + periodic scans).\n- Resource governor (Windows Job Objects CPU limits).\n- Self-defense hardening (DACL/ACL restrictions + anti-injection).\n- Watchdog sidecar to restart the service if the main process dies.\n- ETW integrity checks to detect blinding/tampering.\n- Deep inspection via stack tracing for \"floating code\".\n\n---\n\n## Status\n\nRustinel is **Alpha**. It’s usable for experimentation, lab deployments, and iterative hardening.\nExpect breaking changes while the schema + engines mature.\n\n---\n\n## License\n\nApache 2.0 — see `LICENSE`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkarib0u%2Frustinel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkarib0u%2Frustinel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkarib0u%2Frustinel/lists"}