update

PhD/seminar/biblio.yml

@@ -0,0 +1,12 @@
+mitre_masquerade:
+    type: Web
+    title: "Masquerading: Match Legitimate Name or Location"
+    serial-number: T1036.005
+    author: MITRE | ATT&CK
+    url: https://attack.mitre.org/techniques/T1036/005/
+
+mount:
+  type: web
+  title: "Hiding Linux Processes with Blind Mounts"
+  author: Hal Pomeranz
+  url: https://righteousit.com/2024/07/24/hiding-linux-processes-with-bind-mounts/

PhD/seminar/images/windows.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M22 2 11.2 3.6v8l10.8-.1V2zM10.2 12.5 2 12.4v6.8l8.1 1.1.1-7.8zM2 4.8v6.8h8.1V3.7L2 4.8zm9.1 7.7v7.9L22 22v-9.4l-10.9-.1z"/></svg>

PhD/seminar/seminar.typ

@@ -29,7 +29,18 @@
 #slide(title:"State of the IDS")[
   // Process masquerading is trivialy posible and used by many attacks (Mitre AttCK list)
 
+#line-by-line[
+- #text(weight:"bold")[Known Attacks] #cite(label("mitre_masquerade"), supplement:"MITRE"): AcroRD32.exe (Adobe), kb-10233.exe (Windows Update), mfevtpse.exe (McAfee).
+- #text(weight:"bold")[Technics:]
+ - #box(baseline: 60%, height:2em, image("images/linux.svg", height:100%)): Bind Mounts @mount, #text(fill:red)[find more]
+
+
+ - #box(baseline: 60%, height:2em, image("images/windows.svg", height:100%)): msdtc.exe , #text(fill:red)[find more]
 ]
+
+]
+
+
 #slide(title:"State of the IDS")[
   // Countermeasure to process masquerading
 Listed by MITRE|ATT&CK:
@@ -85,4 +96,5 @@ Power is:
 ]
 
 #slide(title:"Future Developements")[
+#bibliography("biblio.yml")
 ]