Over the past several years as an Incident Response consultant I have witnessed a myriad of obfuscation and evasion techniques employed by several threat actors. Some of these techniques are incredibly complex while others are tastefully simple, but both categories are employed to evade detection. In my experience, I have found APT32 and FIN7 to pull out the most alluring obfuscation techniques and their creativity is noteworthy. In June 2017 after a slew of incremental command line obfuscation techniques, FIN7 used an environment variable string substitution capability native to cmd.exe that at the time I did not know even existed. Spurred by this discovery I co-authored a blog post with Nick Carr (@ItsReallyNick) called Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques where we highighted numerous groups' obfuscation techniques we identified in the wild.