EvilMist
EvilMist is a collection of scripts and utilities designed to support cloud penetration testing & red teaming. The toolkit helps identify misconfigurations, assess privilege-escalation paths, and simulate attack techniques. EvilMist aims to streamline cloud-focused red-team workflows and improve the overall security posture of cloud infrastructures
Install / Use
/learn @Logisek/EvilMistREADME
EvilMist
EvilMist is a collection of scripts and utilities designed to support cloud security configuration audit, cloud penetration testing & cloud red teaming. The toolkit helps identify misconfigurations, assess privilege-escalation paths, and simulate attack techniques. EvilMist aims to streamline cloud-focused red-team workflows and improve the overall security posture of cloud infrastructures
Tools
Unauthenticated Entra ID Enumeration
Unauthenticated Azure/Entra ID enumeration and reconnaissance tool. Performs passive/semi-passive enumeration using publicly accessible APIs and DNS queries without requiring any authentication tokens.
Key Features:
- No Authentication Required - Works without Azure tokens or credentials
- Tenant Discovery - Retrieve tenant ID, name, region via azmap.dev and OpenID config
- Domain Realm Analysis - Identify Managed vs Federated authentication
- User Existence Checking - Verify email addresses via GetCredentialType API
- DNS Reconnaissance - Enumerate MX, SPF, TXT, CNAME, SRV, Autodiscover records
- Port Scanning - Check common Azure ports (HTTPS, LDAP, Kerberos, RDP)
- Stealth Mode - Configurable delays and jitter to avoid rate limiting
- Export Options - JSON and CSV export formats
| Version | Documentation | File |
|---------|---------------|------|
| PowerShell | EntraEnum-PS1.md | scripts/powershell/Invoke-EntraEnum.ps1 |
Enumerate-EntraUsers
Comprehensive Azure Entra ID (Azure AD) user enumeration and security assessment tool, available in both PowerShell and Python versions.
Key Features:
- 15+ User Enumeration Methods - Works even when direct
/usersaccess is blocked - Security Assessment - MFA status, privileged roles, stale accounts, guest users
- Credential Attack Surface - SSPR, legacy auth, app passwords analysis
- Conditional Access Analysis - Policy enumeration and gap detection
- Device & Intune Enumeration - Managed devices, compliance policies
- Attack Path Analysis - Privilege escalation paths and lateral movement
- Power Platform - Power Apps and Power Automate flow enumeration
- Export Options - BloodHound/AzureHound JSON, HTML reports, CSV/JSON
- Stealth Mode - Configurable delays and jitter to avoid detection
| Version | Documentation | File |
|---------|---------------|------|
| PowerShell | EntraRecon-PS1.md | scripts/powershell/Invoke-EntraRecon.ps1 |
| Python | EntraRecon-PY.md | scripts/python/entra_recon.py |
MFA Security Check
Focused security assessment tool to identify Azure Entra ID users without Multi-Factor Authentication (MFA) enabled. Includes advanced features for shared mailbox detection and sign-in activity analysis..
Key Features:
- MFA Detection - Identifies users without strong authentication methods
- Last Sign-In Tracking - Shows last login date/time and activity patterns
- Shared Mailbox Detection - Automatically identifies and filters shared mailbox accounts
- Sign-In Capability Check - Determines if accounts can actually authenticate
- Risk Assessment - Categorizes users by risk level (HIGH/MEDIUM/LOW)
- Activity Analytics - Sign-in statistics, department breakdowns, stale accounts
- Matrix View - Compact table format for quick visual scanning
- Export Options - CSV/JSON with comprehensive user details
- Stealth Mode - Configurable delays and jitter to avoid detection
| Version | Documentation | File |
|---------|---------------|------|
| PowerShell | EntraMFACheck-PS1.md | scripts/powershell/Invoke-EntraMFACheck.ps1 |
Guest Account Enumeration
Comprehensive guest account analysis tool to identify, analyze, and assess the security posture of external users in Azure Entra ID. Essential for guest access governance and security audits.
Key Features:
- Guest Account Discovery - Enumerate all guest users in the tenant
- MFA Status Detection - Identify guests without Multi-Factor Authentication
- Last Sign-In Tracking - Shows login date/time and activity patterns for guests
- Guest Domain Extraction - Identifies originating organizations of guest users
- Invite Status Tracking - Shows accepted, pending, or expired invitations
- Risk Assessment - Categorizes guests by risk level (HIGH/MEDIUM/LOW)
- Activity Analytics - Sign-in statistics, stale accounts, unused invites
- Matrix View - Compact table format for quick visual scanning
- Filtering Options - Show only guests without MFA or include disabled accounts
- Export Options - CSV/JSON with comprehensive guest details
- Stealth Mode - Configurable delays and jitter to avoid detection
| Version | Documentation | File |
|---------|---------------|------|
| PowerShell | EntraGuestCheck-PS1.md | scripts/powershell/Invoke-EntraGuestCheck.ps1 |
Critical Administrative Access Check
Comprehensive security assessment tool to identify Azure Entra ID users with access to 10 critical administrative applications including PowerShell tools, management portals, core Microsoft 365 services, and privileged identity management. Essential for privileged access governance and administrative tool auditing.
Key Features:
- Critical Access Discovery - Enumerate users with administrative application access across all tiers
- Explicit Assignment Focus - Shows users with elevated/administrative access (not basic user access)
- Default Access Detection - Automatically detects and warns about apps with default access
- Security-Focused Results - Filters out noise from basic user access to focus on privileged users
- Multiple Application Coverage - Tracks 10 critical apps: Azure/AD PowerShell, Azure CLI, Graph Tools, M365/Azure Portals, Exchange/SharePoint Online, and PIM
- MFA Status Detection - Identify privileged users without Multi-Factor Authentication
- Last Sign-In Tracking - Shows login date/time and activity patterns
- Assignment Tracking - Shows when users were granted management access
- Risk Assessment - Categorizes users by risk level (HIGH/MEDIUM/LOW)
- Activity Analytics - Sign-in statistics, stale accounts, inactive users
- Matrix View - Compact table format for quick visual scanning
- Filtering Options - Show only users without MFA or include disabled accounts
- Export Options - CSV/JSON with comprehensive access details
- Stealth Mode - Configurable delays and jitter to avoid detection
| Version | Documentation | File |
|---------|---------------|------|
| PowerShell | EntraAppAccess-PS1.md | scripts/powershell/Invoke-EntraAppAccess.ps1 |
Quick Start
Script Dispatcher (PowerShell)
Execute any script from the root directory without navigating to subfolders:
# Interactive mode - shows menu to select script
.\Invoke-EvilMist.ps1
# Execute specific script directly
.\Invoke-EvilMist.ps1 -Script EntraRecon -ExportPath "users.csv"
# List all available scripts
.\Invoke-EvilMist.ps1 -List
# Execute with any parameters (all passed through to target script)
.\Invoke-EvilMist.ps1 -Script EntraMFACheck -Matrix -OnlyNoMFA
Available scripts: EntraEnum, EntraRecon, EntraMFACheck, EntraGuestCheck, EntraAppAccess, EntraRoleCheck, EntraServicePrincipalCheck, EntraConditionalAccessCheck, EntraAdminUnitCheck, EntraStaleAccountCheck, EntraDeviceCheck, EntraSSPRCheck, EntraPasswordPolicyCheck, EntraLegacyAuthCheck, EntraLicenseCheck, EntraDirectorySyncCheck, EntraPowerPlatformCheck, EntraGroupCheck, EntraApplicationCheck, EntraAttackPathCheck, EntraAzureRBACCheck, EntraOAuthConsentCheck, EntraSignInRiskCheck, EntraPIMCheck, EntraKeyVaultCheck, EntraStorageAccountCheck, EntraNetworkSecurityCheck, EntraManagedIdentityCheck, EntraExchangeCheck, EntraSharePointCheck, EntraTeamsCheck, EntraAzureAttackPathCheck, EntraReport, EntraComplianceCheck, SharePointEnum
Unauthenticated Entra ID Enumeration (PowerShell)
Requirements: PowerShell 7+ (no additional modules needed)
# Basic domain enumeration (TenantInfo, DomainRealm, DNS)
.\Invoke-EvilMist.ps1 -Script EntraEnum -Domain example.com
# Check if email exists
.\Invoke-EvilMist.ps1 -Script EntraEnum -Email admin@example.com -UserEnum
# Bulk user enumeration from file
.\Invoke-EvilMist.ps1 -Script EntraEnum -EmailList users.txt -UserEnum -Throttle 1
# Full enumeration with export
.\Invoke-EvilMist.ps1 -Script EntraEnum -Domain example.com -All -ExportPath results.json
# Stealth mode
.\Invoke-EvilMist.ps1 -Script EntraEnum -Domain example.com -All -EnableStealth
📖 Full documentation: EntraEnum-PS1.md
Enumerate-EntraUsers (PowerShell)
Requirements: PowerShell 7+
# Using dispatcher (recommended)
.\Invoke-EvilMist.ps1 -Script EntraRecon
# With Azure CLI token
.\Invoke-EvilMist.ps1 -Script EntraRecon -UseAzCliToken
# Export all users
.\Invoke-EvilMist.ps1 -Script EntraRecon -ExportPath "users.csv"
# Stealth mode
.\Invoke-EvilMist.ps1 -Script EntraRecon -EnableStealth
📖 Full documentation: EntraRecon-PS1.md
Enumerate-EntraUsers (Python)
Requirements: Python 3.8+, msal, requests
# Install dependencies
pip install -r requirements.txt
# Run directly from subfolder
python scripts\python\entra_recon.py
📖 Full documentation: EntraRecon-PY.md
MFA Security Check (PowerShell)
Requirements: PowerShell 7+, Microsoft.Graph modules
# Using dispatcher (recommended)
.\Invoke-EvilMist.ps1 -Script EntraMFACheck
# Scan for users without MFA
.\Invoke-EvilMist.ps1 -Script EntraMFACheck
Related Skills
node-connect
339.3kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
83.9kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
339.3kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
commit-push-pr
83.9kCommit, push, and open a PR
