When I started my journey in Malware Development and AV/EDR Evasion, most of the articles and blog posts I have read recommended the use of syscalls. By using syscalls, an adversary can bypass detection controls (such as user-land Hooking) by jumping into the kernel-mode. Evasion is possible in this case since AV/EDR systems can only monitor an application’s behaviour in user-mode. Another advantage is the fact that any Windows API functions used will not be referenced in the import table.
