beelzebub-labs

beelzebub-labs / azazel

Public

eBPF-powered silent observer for containerized runtimes, built for malware analysis sandboxes and Agentic AI monitoring.

ebpf forensics malware-analysis runtime
63
7
100% credibility
Found Feb 17, 2026 at 29 stars 2x -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
C
AI Summary

Azazel is a lightweight monitoring tool that captures detailed activity logs of processes, files, network connections, and security events from software running in isolated sandboxes for malware forensics.

How It Works

1
🔍 Discover Azazel

You learn about a clever spy tool that safely watches every move suspicious software makes without letting it harm your computer.

2
📦 Get it ready

You follow simple guides to prepare the watcher on your Linux computer, making sure everything is set for safe spying.

3
🛡️ Set up safe playground

You create a protected little area where you can run risky files without them escaping or causing trouble.

4
🚀 Run the suspicious file

Drop your mystery file into the safe area, start it running, and turn on the watcher to capture all its sneaky actions.

5
📊 Gather the clues

Let it play out for a bit, then stop everything and collect a neat list of what happened, like files it touched or calls it made.

See the full story

Enjoy your easy-to-read report with counts of actions, network attempts, and loud warnings about any dangerous tricks it tried.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 29 to 63 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is azazel?

Azazel is a lightweight eBPF tracer for Linux runtime security and forensics, tailored for malware analysis sandboxes—like the azazel demon from Supernatural or X-Men, but monitoring syscalls instead of souls. Run a single static Go binary on kernel 5.8+ to capture process trees, file touches, network connects, and red flags like ptrace or W+X mmap in clean NDJSON. Filter by container ID via CLI (`sudo azazel --container abc123 --output events.json`) for isolated traces, with summaries and alerts on exit.

Why is it gaining traction?

Zero runtime deps, CO-RE portability across kernels, and cgroup filtering make it dead simple for container sandboxes—no agents or recompiles. JSON streams feed jq, ELK, or Splunk directly, plus heuristics auto-flag /tmp execs, shadow access, or module loads. Docker Compose sandbox and analyze.sh script handle detonation-to-report in one linux runtime command.

Who should use this?

Malware analysts detonating samples in Docker, security researchers tracing linux pm runtime behavior, or threat hunters dissecting container escapes. Suits teams using linux github cli to clone repos, set linux github ssh key, and run linux github repo forensics without GUI bloat.

Verdict

Grab it for sandbox prototyping—docs shine, tests cover well—but 29 stars and 1.0% credibility scream early alpha; watch for maturity before prod. Solid if your workflow matches.

(178 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.