One of the things we found a while ago is that the TDL/TDSS-type rootkits often leave a calling card: System Event Log entries for 'ftdisk', event IDs 45 and 49. If we see both of these event IDs when a machine boots, we almost always find a rootkit on the machine.
So, here's the event set for you. Note that we've taken to naming our event sets in such a way as to know which event log we're attaching it to, after some mishaps with misapplied event sets... it'd be nice if Kaseya would let us set that in the event set itself to prevent that...
Nice, I recall this being brought up a while back by benny in the other forums (hint hint forum gods)Edit: By the by... this event set works well... since deploying we've been able to catch a few instances.
Thanks GD :)
*because sharing is caring*