Evasion techniques: obfuscation (encode/encrypt payload), living-off-the-land (use built-in tools: PowerShell, certutil, mshta), process injection (hide in legitimate processes), API unhooking (bypass EDR hooks).
Modern EDR uses behavioral analysis — pure obfuscation doesn't defeat it. LOLBAS (Living Off the Land Binaries and Scripts) uses trusted Windows tools for attack steps. EDR detects the behavior, not just the binary. Red teams constantly develop new evasion; blue teams must detect behavior not just signatures.