Malicious actors are always trying to find new ways to avoid detection by evermore vigilant EDR systems and deploy their payloads. Over the years, the scope of techniques used has branched from relatively simplistic hash comparison and sandbox avoidance to low level log dodging and even direct circumvention of EDR telemetry acquisition. By examining some of the techniques used on Windows systems this talk will highlight will highlight the range of capabilities defensive operators are dealing with, how some can be detected and, in rare cases, the performance and false-positive obstacles in designing detection capability.