Rustinel: A New Open-Source Endpoint Detection Tool for Windows and Linux

Modern security operations are inherently complex, particularly when managing mixed-operating system environments. For years, system administrators, security engineers, and DevOps teams have battled a persistent operational headache: the fragmentation of host telemetry. While Windows-focused security telemetry relies heavily on Microsoft Sysmon or native Event Tracing for Windows (ETW), Linux monitoring is traditionally managed through fragmented tools like auditd or custom eBPF (Extended Berkeley Packet Filter) pipelines. This divide forces defensive teams to maintain entirely separate logging agents, incompatible rule formats, and disparate analysis pipelines.

Enter Rustinel, an innovative, unified, open-source endpoint detection tool designed to bridge this gap. Developed by Théo Foucher, Rustinel tackles this operational divide head-on by collapsing cross-platform endpoint monitoring into a single, high-performance codebase. Written entirely in Rust to ensure memory safety and exceptional execution speeds, this lightweight utility normalizes system events from both Windows and Linux into a unified format, allowing teams to deploy identical detection rules across their entire digital fleet.

How Rustinel Redefines the Modern Endpoint Detection Tool

The foundational value of Rustinel lies in its ability to abstract the underlying OS architecture. Rather than forcing blue teams to translate Windows-centric behavioral detections into Linux equivalents, Rustinel serves as a universal translator. This is critical because modern threat actors do not limit their tactics to a single operating system; a multi-stage campaign might start with a phishing payload on a Windows workstation and pivot to a Linux-based database or cloud server.

Historically, a cross-platform endpoint detection tool would have meant deploying bloated, enterprise agents that consume massive system resources and run proprietary, closed-source engines. Rustinel flips this model. By leveraging a transparent, open-source framework, defenders can audit exactly how telemetry is parsed, evaluated, and alerted. It is designed specifically for defenders who want to understand exactly what telemetry is collected, how detections are evaluated, and where the current operational limits reside.

Deep-Dive Telemetry: ETW and eBPF Pipelines

Rustinel achieves its high-performance monitoring by tapping directly into the native instrumentation frameworks of each supported operating system:

• Windows Telemetry (ETW): On Windows, Rustinel hooks into Event Tracing for Windows (ETW). It provides broad coverage across several crucial event types, including:
  • Process creation and termination
  • Image loading (DLL tracking)
  • Network connection attempts and socket events
  • File creation, modifications, and deletions
  • Registry modifications and persistence attempts
  • Domain Name System (DNS) queries
  • PowerShell command execution and script block logging
  • Windows Management Instrumentation (WMI) activity
  • Service installation and Scheduled Task creations
• Linux Telemetry (