EvilMist is a collection of scripts and utilities designed to support cloud penetration testing & red teaming. The toolkit helps identify misconfigurations, assess privilege-escalation paths, and simulate attack techniques. EvilMist aims to streamline cloud-focused red-team workflows and improve the overall security posture of cloud infrastructures
Comprehensive Azure Entra ID (Azure AD) user enumeration and security assessment tool, available in both PowerShell and Python versions.
Key Features:
- 15+ User Enumeration Methods - Works even when direct
/usersaccess is blocked - Security Assessment - MFA status, privileged roles, stale accounts, guest users
- Credential Attack Surface - SSPR, legacy auth, app passwords analysis
- Conditional Access Analysis - Policy enumeration and gap detection
- Device & Intune Enumeration - Managed devices, compliance policies
- Attack Path Analysis - Privilege escalation paths and lateral movement
- Power Platform - Power Apps and Power Automate flow enumeration
- Export Options - BloodHound/AzureHound JSON, HTML reports, CSV/JSON
- Stealth Mode - Configurable delays and jitter to avoid detection
| Version | Documentation | File |
|---|---|---|
| PowerShell | EntraRecon-PS1.md | Invoke-EntraRecon.ps1 |
| Python | EntraRecon-PY.md | entra_recon.py |
Focused security assessment tool to identify Azure Entra ID users without Multi-Factor Authentication (MFA) enabled. Includes advanced features for shared mailbox detection and sign-in activity analysis.
Key Features:
- MFA Detection - Identifies users without strong authentication methods
- Last Sign-In Tracking - Shows last login date/time and activity patterns
- Shared Mailbox Detection - Automatically identifies and filters shared mailbox accounts
- Sign-In Capability Check - Determines if accounts can actually authenticate
- Risk Assessment - Categorizes users by risk level (HIGH/MEDIUM/LOW)
- Activity Analytics - Sign-in statistics, department breakdowns, stale accounts
- Matrix View - Compact table format for quick visual scanning
- Export Options - CSV/JSON with comprehensive user details
- Stealth Mode - Configurable delays and jitter to avoid detection
| Version | Documentation | File |
|---|---|---|
| PowerShell | EntraMFACheck-PS1.md | Invoke-EntraMFACheck.ps1 |
Requirements: PowerShell 7+
# Interactive mode
.\Invoke-EntraRecon.ps1
# With Azure CLI token
.\Invoke-EntraRecon.ps1 -UseAzCliToken
# Export all users
.\Invoke-EntraRecon.ps1 -ExportPath "users.csv"
# Stealth mode
.\Invoke-EntraRecon.ps1 -EnableStealthπ Full documentation: EntraRecon-PS1.md
Requirements: Python 3.8+, msal, requests
# Install dependencies
pip install -r requirements.txt
# Run interactive mode
python entra_recon.pyπ Full documentation: EntraRecon-PY.md
Requirements: PowerShell 7+, Microsoft.Graph modules
# Scan for users without MFA
.\Invoke-EntraMFACheck.ps1
# Export results to CSV
.\Invoke-EntraMFACheck.ps1 -ExportPath "no-mfa-users.csv"
# Matrix view with all features
.\Invoke-EntraMFACheck.ps1 -Matrix -IncludeDisabledUsers
# Stealth mode
.\Invoke-EntraMFACheck.ps1 -EnableStealth -QuietStealthπ Full documentation: EntraMFACheck-PS1.md
| Document | Description |
|---|---|
| EntraRecon-PS1.md | Full PowerShell script documentation including all parameters, features, and usage examples |
| EntraRecon-PY.md | Full Python script documentation including authentication methods, stealth configuration, and examples |
| EntraMFACheck-PS1.md | MFA Security Check documentation including shared mailbox detection, sign-in tracking, and risk assessment |
Both versions provide the same core functionality:
| Feature | PowerShell | Python |
|---|---|---|
| User Enumeration (15+ methods) | β | β |
| Security Assessment | β | β |
| Credential Attack Surface | β | β |
| Conditional Access Analysis | β | β |
| Device/Intune Enumeration | β | β |
| Attack Path Analysis | β | β |
| Power Platform Enumeration | β | β |
| Lateral Movement Analysis | β | β |
| BloodHound Export | β | β |
| HTML Report Generation | β | β |
| Stealth Mode | β | β |
| Interactive Menu | β | β |
| Azure CLI Token | β | β |
| Device Code Flow | β | β |
| Refresh Token Exchange | β | β |
| Extended App ID Database | β | β |
| Stealth Presets | β | β |
| Feature | Enumerate-EntraUsers | MFA Security Check |
|---|---|---|
| Purpose | Comprehensive user enumeration | Focused MFA security audit |
| User Enumeration | 15+ methods | Standard method |
| MFA Detection | Basic check | Advanced with method types |
| Shared Mailbox Detection | β | β Automatic |
| Last Sign-In Tracking | β | β With analytics |
| Sign-In Capability Check | β | β |
| Risk Level Assessment | Basic | Advanced (HIGH/MEDIUM/LOW) |
| Activity Analytics | Limited | Detailed (stale/recent/never) |
| Matrix View | β | β |
| Department Analysis | β | β With statistics |
| BloodHound Export | β | β |
| HTML Report | β | β |
| CSV/JSON Export | β | β Enhanced fields |
| Stealth Mode | β | β |
| Best For | Red team reconnaissance | MFA compliance audits |
pip install -r requirements.txtOr install manually:
pip install msal requests
# Optional: Additional authentication methods
pip install azure-identityEnumerate-EntraUsers: The script will automatically install the required Microsoft.Graph.Users module on first run.
MFA Security Check: Requires Microsoft Graph PowerShell SDK:
Install-Module Microsoft.Graph -Scope CurrentUserOr install individual modules:
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser
Install-Module Microsoft.Graph.Users -Scope CurrentUser
Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUserBoth scripts support multiple authentication methods:
- Interactive Browser - OAuth login via browser
- Device Code Flow - Code-based authentication for headless environments
- Azure CLI Token - Use cached
az logincredentials - Azure PowerShell Token - Use cached
Connect-AzAccountcredentials - Environment Variables - Set
GRAPH_ACCESS_TOKENorAZURE_ACCESS_TOKEN - Manual Token Input - Paste a token directly
The Python version additionally supports:
- Refresh Token Exchange - Use tokens from ROADtools, TokenTactics, etc.
- Managed Identity - For Azure-hosted environments
- VS Code Credential - Azure extension cached token
- Shared Token Cache - Windows cached credentials
This toolkit is intended for authorized security testing and research purposes only. Users are responsible for ensuring they have proper authorization before using these tools against any systems. The authors assume no liability for misuse of this software.
GNU General Public License v3.0 - See LICENSE file for details.
Copyright (C) 2025 Logisek
Contributions are welcome! Please feel free to submit pull requests or open issues for bugs and feature requests.
- Microsoft Graph API - Primary data source
- BloodHound - Attack path analysis inspiration
- AzureHound - Azure data collection format
- microsoft-info - Microsoft First Party App Names & Graph Permissions