Direct system calls (bypassing user-mode API hooks) - Syscall proxying and indirect syscall techniques - ETW (Event Tracing for Windows) patching - AMSI bypass techniques - Sleep obfuscation (encrypting implant memory during sleep) - Module stomping and phantom DLL loading