EvilMist is a collection of scripts and utilities designed to support cloud penetration testing & red teaming. The toolkit helps identify misconfigurations, assess privilege-escalation paths, and simulate attack techniques. EvilMist aims to streamline cloud-focused red-team workflows and improve the overall security posture of cloud infrastructures
Comprehensive Azure Entra ID (Azure AD) user enumeration and security assessment tool, available in both PowerShell and Python versions.
Key Features:
- 15+ User Enumeration Methods - Works even when direct
/usersaccess is blocked - Security Assessment - MFA status, privileged roles, stale accounts, guest users
- Credential Attack Surface - SSPR, legacy auth, app passwords analysis
- Conditional Access Analysis - Policy enumeration and gap detection
- Device & Intune Enumeration - Managed devices, compliance policies
- Attack Path Analysis - Privilege escalation paths and lateral movement
- Power Platform - Power Apps and Power Automate flow enumeration
- Export Options - BloodHound/AzureHound JSON, HTML reports, CSV/JSON
- Stealth Mode - Configurable delays and jitter to avoid detection
| Version | Documentation | File |
|---|---|---|
| PowerShell | EntraRecon-PS1.md | Invoke-EntraRecon.ps1 |
| Python | EntraRecon-PY.md | entra_recon.py |
Focused security assessment tool to identify Azure Entra ID users without Multi-Factor Authentication (MFA) enabled. Includes advanced features for shared mailbox detection and sign-in activity analysis.
Key Features:
- MFA Detection - Identifies users without strong authentication methods
- Last Sign-In Tracking - Shows last login date/time and activity patterns
- Shared Mailbox Detection - Automatically identifies and filters shared mailbox accounts
- Sign-In Capability Check - Determines if accounts can actually authenticate
- Risk Assessment - Categorizes users by risk level (HIGH/MEDIUM/LOW)
- Activity Analytics - Sign-in statistics, department breakdowns, stale accounts
- Matrix View - Compact table format for quick visual scanning
- Export Options - CSV/JSON with comprehensive user details
- Stealth Mode - Configurable delays and jitter to avoid detection
| Version | Documentation | File |
|---|---|---|
| PowerShell | EntraMFACheck-PS1.md | Invoke-EntraMFACheck.ps1 |
Comprehensive guest account analysis tool to identify, analyze, and assess the security posture of external users in Azure Entra ID. Essential for guest access governance and security audits.
Key Features:
- Guest Account Discovery - Enumerate all guest users in the tenant
- MFA Status Detection - Identify guests without Multi-Factor Authentication
- Last Sign-In Tracking - Shows login date/time and activity patterns for guests
- Guest Domain Extraction - Identifies originating organizations of guest users
- Invite Status Tracking - Shows accepted, pending, or expired invitations
- Risk Assessment - Categorizes guests by risk level (HIGH/MEDIUM/LOW)
- Activity Analytics - Sign-in statistics, stale accounts, unused invites
- Matrix View - Compact table format for quick visual scanning
- Filtering Options - Show only guests without MFA or include disabled accounts
- Export Options - CSV/JSON with comprehensive guest details
- Stealth Mode - Configurable delays and jitter to avoid detection
| Version | Documentation | File |
|---|---|---|
| PowerShell | EntraGuestCheck-PS1.md | Invoke-EntraGuestCheck.ps1 |
Comprehensive security assessment tool to identify Azure Entra ID users with access to 10 critical administrative applications including PowerShell tools, management portals, core Microsoft 365 services, and privileged identity management. Essential for privileged access governance and administrative tool auditing.
Key Features:
- Critical Access Discovery - Enumerate users with administrative application access across all tiers
- Explicit Assignment Focus - Shows users with elevated/administrative access (not basic user access)
- Default Access Detection - Automatically detects and warns about apps with default access
- Security-Focused Results - Filters out noise from basic user access to focus on privileged users
- Multiple Application Coverage - Tracks 10 critical apps: Azure/AD PowerShell, Azure CLI, Graph Tools, M365/Azure Portals, Exchange/SharePoint Online, and PIM
- MFA Status Detection - Identify privileged users without Multi-Factor Authentication
- Last Sign-In Tracking - Shows login date/time and activity patterns
- Assignment Tracking - Shows when users were granted management access
- Risk Assessment - Categorizes users by risk level (HIGH/MEDIUM/LOW)
- Activity Analytics - Sign-in statistics, stale accounts, inactive users
- Matrix View - Compact table format for quick visual scanning
- Filtering Options - Show only users without MFA or include disabled accounts
- Export Options - CSV/JSON with comprehensive access details
- Stealth Mode - Configurable delays and jitter to avoid detection
| Version | Documentation | File |
|---|---|---|
| PowerShell | EntraAppAccess-PS1.md | Invoke-EntraAppAccess.ps1 |
Requirements: PowerShell 7+
# Interactive mode
.\Invoke-EntraRecon.ps1
# With Azure CLI token
.\Invoke-EntraRecon.ps1 -UseAzCliToken
# Export all users
.\Invoke-EntraRecon.ps1 -ExportPath "users.csv"
# Stealth mode
.\Invoke-EntraRecon.ps1 -EnableStealthπ Full documentation: EntraRecon-PS1.md
Requirements: Python 3.8+, msal, requests
# Install dependencies
pip install -r requirements.txt
# Run interactive mode
python entra_recon.pyπ Full documentation: EntraRecon-PY.md
Requirements: PowerShell 7+, Microsoft.Graph modules
# Scan for users without MFA
.\Invoke-EntraMFACheck.ps1
# Export results to CSV
.\Invoke-EntraMFACheck.ps1 -ExportPath "no-mfa-users.csv"
# Matrix view with all features
.\Invoke-EntraMFACheck.ps1 -Matrix -IncludeDisabledUsers
# Stealth mode
.\Invoke-EntraMFACheck.ps1 -EnableStealth -QuietStealthπ Full documentation: EntraMFACheck-PS1.md
Requirements: PowerShell 7+, Microsoft.Graph modules
# Enumerate all guest accounts
.\Invoke-EntraGuestCheck.ps1
# Export results to CSV
.\Invoke-EntraGuestCheck.ps1 -ExportPath "guest-accounts.csv"
# Show only guests without MFA in matrix view
.\Invoke-EntraGuestCheck.ps1 -Matrix -OnlyNoMFA
# Include disabled guests with stealth mode
.\Invoke-EntraGuestCheck.ps1 -IncludeDisabledGuests -EnableStealth -QuietStealthπ Full documentation: EntraGuestCheck-PS1.md
Requirements: PowerShell 7+, Microsoft.Graph modules
# Check users with critical administrative access (10 apps)
.\Invoke-EntraAppAccess.ps1
# Export results to CSV
.\Invoke-EntraAppAccess.ps1 -ExportPath "app-access.csv"
# Show only users without MFA in matrix view
.\Invoke-EntraAppAccess.ps1 -Matrix -OnlyNoMFA
# Stealth mode scan
.\Invoke-EntraAppAccess.ps1 -EnableStealth -QuietStealthπ Full documentation: EntraAppAccess-PS1.md
| Document | Description |
|---|---|
| EntraRecon-PS1.md | Full PowerShell script documentation including all parameters, features, and usage examples |
| EntraRecon-PY.md | Full Python script documentation including authentication methods, stealth configuration, and examples |
| EntraMFACheck-PS1.md | MFA Security Check documentation including shared mailbox detection, sign-in tracking, and risk assessment |
| EntraGuestCheck-PS1.md | Guest Account Enumeration documentation including guest domain extraction, invite tracking, and security analysis |
| EntraAppAccess-PS1.md | PowerShell & Graph CLI Access Check documentation including app access tracking, assignment dates, and privileged access analysis |
Both versions provide the same core functionality:
| Feature | PowerShell | Python |
|---|---|---|
| User Enumeration (15+ methods) | β | β |
| Security Assessment | β | β |
| Credential Attack Surface | β | β |
| Conditional Access Analysis | β | β |
| Device/Intune Enumeration | β | β |
| Attack Path Analysis | β | β |
| Power Platform Enumeration | β | β |
| Lateral Movement Analysis | β | β |
| BloodHound Export | β | β |
| HTML Report Generation | β | β |
| Stealth Mode | β | β |
| Interactive Menu | β | β |
| Azure CLI Token | β | β |
| Device Code Flow | β | β |
| Refresh Token Exchange | β | β |
| Extended App ID Database | β | β |
| Stealth Presets | β | β |
| Feature | Enumerate-EntraUsers | MFA Security Check | Guest Account Enumeration | Critical Admin Access Check |
|---|---|---|---|---|
| Purpose | Comprehensive user enumeration | Focused MFA security audit | Guest access governance | Critical administrative access audit |
| User Enumeration | 15+ methods | Standard method | Guest-focused | App assignment-based |
| MFA Detection | Basic check | Advanced with method types | Advanced with method types | Advanced with method types |
| Shared Mailbox Detection | β | β Automatic | β (N/A for guests) | β (N/A for app access) |
| Guest Domain Extraction | β | β | β Automatic | β |
| Invite Status Tracking | β | β | β With acceptance dates | β |
| App Access Tracking | β | β | β | β Multi-app coverage |
| Assignment Date Tracking | β | β | β Invite dates | β Assignment dates |
| Last Sign-In Tracking | β | β With analytics | β With analytics | β With analytics |
| Sign-In Capability Check | β | β | β | β |
| Risk Level Assessment | Basic | Advanced (HIGH/MEDIUM/LOW) | Advanced (HIGH/MEDIUM/LOW) | Advanced (HIGH/MEDIUM/LOW) |
| Activity Analytics | Limited | Detailed (stale/recent/never) | Detailed (stale/recent/never) | Detailed (stale/recent/never) |
| Matrix View | β | β | β | β |
| Department Analysis | β | β With statistics | β With statistics | β With statistics |
| BloodHound Export | β | β | β | β |
| HTML Report | β | β | β | β |
| CSV/JSON Export | β | β Enhanced fields | β Enhanced fields | β Enhanced fields |
| Stealth Mode | β | β | β | β |
| Best For | Red team reconnaissance | MFA compliance audits | External user security | Privileged access audit |
pip install -r requirements.txtOr install manually:
pip install msal requests
# Optional: Additional authentication methods
pip install azure-identityEnumerate-EntraUsers: The script will automatically install the required Microsoft.Graph.Users module on first run.
MFA Security Check: Requires Microsoft Graph PowerShell SDK:
Install-Module Microsoft.Graph -Scope CurrentUserOr install individual modules:
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser
Install-Module Microsoft.Graph.Users -Scope CurrentUser
Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUserBoth scripts support multiple authentication methods:
- Interactive Browser - OAuth login via browser
- Device Code Flow - Code-based authentication for headless environments
- Azure CLI Token - Use cached
az logincredentials - Azure PowerShell Token - Use cached
Connect-AzAccountcredentials - Environment Variables - Set
GRAPH_ACCESS_TOKENorAZURE_ACCESS_TOKEN - Manual Token Input - Paste a token directly
The Python version additionally supports:
- Refresh Token Exchange - Use tokens from ROADtools, TokenTactics, etc.
- Managed Identity - For Azure-hosted environments
- VS Code Credential - Azure extension cached token
- Shared Token Cache - Windows cached credentials
This toolkit is intended for authorized security testing and research purposes only. Users are responsible for ensuring they have proper authorization before using these tools against any systems. The authors assume no liability for misuse of this software.
GNU General Public License v3.0 - See LICENSE file for details.
Copyright (C) 2025 Logisek
Contributions are welcome! Please feel free to submit pull requests or open issues for bugs and feature requests.
- Microsoft Graph API - Primary data source
- BloodHound - Attack path analysis inspiration
- AzureHound - Azure data collection format
- microsoft-info - Microsoft First Party App Names & Graph Permissions