EDR kernel telemetry now detects direct syscalls, turning the classic unhooking bypass into a detection signal

For years, red teams bypassed EDR userland hooks by making direct syscalls to the Windows kernel, skipping the hooked ntdll.dll functions entirely. EDR vendors responded by adding ETW kernel-level telemetry that flags any syscall originating from non-ntdll memory regions as suspicious, turning the bypass itself into a high-confidence detection. Red teams now face a catch-22: use ntdll (hooked and detected) or direct syscall (kernel telemetry detects the bypass). This persists because Microsoft keeps adding kernel telemetry providers that give EDR vendors visibility into syscall origins, and each new evasion technique creates a new detection surface.