Karib0u

Karib0u / rustinel

Public

Rust Windows EDR (user-mode, no driver): ETW → Sysmon-style normalization → Sigma/Yara/IOC detection → ECS NDJSON alerts.

karib0u.github.iorustinel blue-team detection-engineering edr endpoint-detection etw
64
11
100% credibility
Found Feb 02, 2026 at 35 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Rust
AI Summary

Rustinel is a lightweight Windows security monitor that detects threats by watching system activity and alerting on suspicious behavior.

How It Works

1
🔍 Discover Rustinel

You find this free Windows security helper on GitHub that watches for bad activity without slowing down your computer.

2
📥 Download and unpack

Grab the latest ready-to-use file from the releases page and unzip it to a folder on your Windows machine.

3
⚙️ Run with admin rights

Right-click and run as administrator to start watching your computer's processes, files, and network in real time.

4
🚨 Spot your first alert

Try the built-in test like running 'whoami' and watch it catch suspicious activity, saving alerts to simple log files.

5
🔄 Set it up to run automatically

Install it as a background service so it starts every time your computer boots and keeps protecting quietly.

6
📋 Tweak settings if you want

Adjust what it watches or add custom rules for specific threats using the easy settings file.

🛡️ Stay protected effortlessly

Your Windows machine now detects threats like malware or odd behavior automatically, with clear alerts ready to review.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 35 to 64 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is rustinel?

Rustinel is a Rust-built, user-mode Windows EDR agent that captures kernel telemetry via ETW on Windows 10/11 or Server 2016+, normalizes events to Sysmon format, runs Sigma behavioral rules and YARA scans on process starts, and outputs ECS NDJSON alerts for SIEM ingestion. It solves the pain of kernel drivers causing crashes while delivering high-performance threat detection without commercial bloat—think free windows edr solution for custom windows edr telemetry pipelines. Drop rules in folders, run as a service or console via CLI, and ship alerts to disk.

Why is it gaining traction?

No kernel driver means zero bluescreen risk, plus Rust's async speed handles high-volume ETW without dropping events, beating sluggish .NET alternatives. Sigma/YARA compatibility lets you reuse thousands of community rules instantly, and noise reduction (keyword filters, connection aggregation) keeps alerts clean. Windows github actions builds make it dead simple to compile and deploy via windows github runner or cli.

Who should use this?

Windows SecOps engineers prototyping edr solutions on endpoints, pentesters generating realistic windows edr defender telemetry for evasion tests, or defenders tuning Sigma rules for windows 10/7 fleets. Ideal for labs needing marco rustinelli-style ETW without the hassle, or teams piping to SIEM via windows github script workflows.

Verdict

Solid alpha for experimentation—run the demos, tweak config.toml, and integrate ECS alerts today, but hold for prod until self-defense and memory scans land. 56 stars and 1.0% credibility score signal early maturity; pair with robust docs for quick wins.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.