EvilMist is a collection of scripts and utilities designed to support cloud penetration testing & red teaming. The toolkit helps identify misconfigurations, assess privilege-escalation paths, and simulate attack techniques. EvilMist aims to streamline cloud-focused red-team workflows and improve the overall security posture of cloud infrastructures
Comprehensive Azure Entra ID (Azure AD) user enumeration and security assessment tool, available in both PowerShell and Python versions.
Key Features:
- 15+ User Enumeration Methods - Works even when direct
/usersaccess is blocked - Security Assessment - MFA status, privileged roles, stale accounts, guest users
- Credential Attack Surface - SSPR, legacy auth, app passwords analysis
- Conditional Access Analysis - Policy enumeration and gap detection
- Device & Intune Enumeration - Managed devices, compliance policies
- Attack Path Analysis - Privilege escalation paths and lateral movement
- Power Platform - Power Apps and Power Automate flow enumeration
- Export Options - BloodHound/AzureHound JSON, HTML reports, CSV/JSON
- Stealth Mode - Configurable delays and jitter to avoid detection
| Version | Documentation | File |
|---|---|---|
| PowerShell | EntraRecon-PS1.md | Invoke-EntraRecon.ps1 |
| Python | EntraRecon-PY.md | entra_recon.py |
Requirements: PowerShell 7+
# Interactive mode
.\Invoke-EntraRecon.ps1
# With Azure CLI token
.\Invoke-EntraRecon.ps1 -UseAzCliToken
# Export all users
.\Invoke-EntraRecon.ps1 -ExportPath "users.csv"
# Stealth mode
.\Invoke-EntraRecon.ps1 -EnableStealth📖 Full documentation: EntraRecon-PS1.md
Requirements: Python 3.8+, msal, requests
# Install dependencies
pip install -r requirements.txt
# Run interactive mode
python entra_recon.py📖 Full documentation: EntraRecon-PY.md
| Document | Description |
|---|---|
| EntraRecon-PS1.md | Full PowerShell script documentation including all parameters, features, and usage examples |
| EntraRecon-PY.md | Full Python script documentation including authentication methods, stealth configuration, and examples |
Both versions provide the same core functionality:
| Feature | PowerShell | Python |
|---|---|---|
| User Enumeration (15+ methods) | ✅ | ✅ |
| Security Assessment | ✅ | ✅ |
| Credential Attack Surface | ✅ | ✅ |
| Conditional Access Analysis | ✅ | ✅ |
| Device/Intune Enumeration | ✅ | ✅ |
| Attack Path Analysis | ✅ | ✅ |
| Power Platform Enumeration | ✅ | ✅ |
| Lateral Movement Analysis | ✅ | ✅ |
| BloodHound Export | ✅ | ✅ |
| HTML Report Generation | ✅ | ✅ |
| Stealth Mode | ✅ | ✅ |
| Interactive Menu | ✅ | ✅ |
| Azure CLI Token | ✅ | ✅ |
| Device Code Flow | ✅ | ✅ |
| Refresh Token Exchange | ❌ | ✅ |
| Extended App ID Database | ❌ | ✅ |
| Stealth Presets | ❌ | ✅ |
pip install -r requirements.txtOr install manually:
pip install msal requests
# Optional: Additional authentication methods
pip install azure-identityThe script will automatically install the required Microsoft.Graph.Users module on first run.
Both scripts support multiple authentication methods:
- Interactive Browser - OAuth login via browser
- Device Code Flow - Code-based authentication for headless environments
- Azure CLI Token - Use cached
az logincredentials - Azure PowerShell Token - Use cached
Connect-AzAccountcredentials - Environment Variables - Set
GRAPH_ACCESS_TOKENorAZURE_ACCESS_TOKEN - Manual Token Input - Paste a token directly
The Python version additionally supports:
- Refresh Token Exchange - Use tokens from ROADtools, TokenTactics, etc.
- Managed Identity - For Azure-hosted environments
- VS Code Credential - Azure extension cached token
- Shared Token Cache - Windows cached credentials
This toolkit is intended for authorized security testing and research purposes only. Users are responsible for ensuring they have proper authorization before using these tools against any systems. The authors assume no liability for misuse of this software.
GNU General Public License v3.0 - See LICENSE file for details.
Copyright (C) 2025 Logisek
Contributions are welcome! Please feel free to submit pull requests or open issues for bugs and feature requests.
- Microsoft Graph API - Primary data source
- BloodHound - Attack path analysis inspiration
- AzureHound - Azure data collection format
- microsoft-info - Microsoft First Party App Names & Graph Permissions