In 2013 Nick posted an article about Windows x64 system service hooks and advanced debugging. 2 years later Alex Ionescu published his classic Esoteric Hooks (PDF), and eventually Lasha Khasaia (@_qaz_qaz) published a POC that seemed to work as well.
All these references are pretty rare, and I must admit, I have not tested the code available, but it would be a waste it this trick was not covered one way or another, as both EDR and sandboxes could be potentially fooled by it…
How does it work?
NtSetInformationProcess(NtCurrentProcess(), ProcessInstrumentationCallback, &callback, sizeof(callback));
So… if you are one of the vendors that operate in this space I hope you cover this particular call, at least.
My contribution to the topic: 0. But… Better safe than sorry.
For a comprehensive list of code injection techniques, check this post.