this is a common misconception, just because you're in kernel-mode doesn't mean you are immediately undetected and things are not as easy people initinally think.

First, point of ingress: registry, file caches, dns, vulnerable driver logs.

Memory probe detection: workingsets, page guards, non trivial obfuscation, atoms, fibers.

Detection: usermode exposes a lot of kernel internals: raw access to window and process handles, 'undocumented' syscalls, win32, user32, kiucd, apcs.

Loss of functionality: no hooks, limited point of ingress, hardened obfuscation, encrypted pages, tamper protection.

I could go on, but generally "lol go kernelmode" is sometimes way more difficult than just hiding yourself among the legitimate functionality of 3rd party applications.

This is everything used by anticheats today, from usermode. The kernel module is more often than not used for integrity checks, vm detection and walking physical memory.