Gabriel, I agree with a lot of this! I've been working to identify the techniques that should only be detected *opportunistically* - that is, with no expectation of complete coverage. Powershell is the perfect example. Interestingly some techniques *can* be detected comprehensively because their procedures can be enumerated and each procedure can be detected theoretically. Love to hear more about what you think about this. thrivingdefense.com/pri…