Endpoint Detection and Response solutions have landed in Linux. With the ever increasing footprint of Linux machines deployed in data centers, threat actors have been forced to move cross platform in the presence of new defensive capabilities. EDRs have their challenges in covering Linux landscape, and as such they come in various designs and address defense differently. Some focus on sandboxing, others place more effort on execution heuristics, yet others provide facilities to create restricted shells and exist in support of an enterprise policy, augmenting already existing solutions with whitelisting executables on systems. On a recent Red Team engagement our team was faced with overcoming a commercial EDR on Linux. In this talk we wanted to share a few techniques we used to slide under the EDR radar, and expand offensive post-exploitation capabilities on a farm of hardened Linux machines. As they say, when EDRs give you lemons ... you turn them into oranges, and let EDRs make lemonade ;) Specifically, we will see how pristine (often approved) executables could be subverted to execute foreign functionality avoiding runtime injection or common anti-debugging signatures the defense is looking for. We will walk through the process of using well known capabilities of a dynamic loader, take lessons from user-land root-kits in evasion choices, and attempt to lead DFIR teams on a wild goose chase after the artifacts of a compromise. Many of the details that went into such evasion could be generalized and possibly reused against other EDRs. We fully believe that the ability to retool in the field matters, so we distilled the techniques into reusable code patterns and a small toolkit which will be used as a basis for our discussion. Compelling known good executables to misbehave is so much fun (and profit)!