Add inter-process communication file

[kevross33]

Add signatures for inter-process communication which can be used for local c2 between various malicious processes, for injecting/executing code between processes or potentially banking trojan activity.

Kazuar (Turla APT backdoor) 1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the system's ability to detect sophisticated malware behaviors by introducing robust signatures for monitoring inter-process communication. By focusing on named pipes, mutexes, and shared memory, it provides critical visibility into how malicious processes might be coordinating, injecting code, or exfiltrating data locally, thereby strengthening the platform's threat detection capabilities against advanced persistent threats and other forms of malware.

Highlights

• New Inter-Process Communication (IPC) Signatures: Introduced three new Cuckoo signatures to detect various forms of inter-process communication on Windows systems: named pipes, mutexes, and shared memory.
• Malicious Activity Detection: The new signatures are designed to identify suspicious IPC patterns that could indicate local Command and Control (C2) traffic, process injection, or banking trojan activity.
• Detailed IPC Event Logging: Each signature logs specific events, including the names of the IPC objects and the processes involved (creator and accessor), to provide granular insights into potential malicious interactions.
• Noise Reduction: Implemented filtering mechanisms to ignore common, legitimate system IPC objects (e.g., specific named pipes, mutexes, and shared memory sections) to reduce false positives.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces three new Cuckoo signatures to detect inter-process communication (IPC) via named pipes, mutexes, and shared memory. The implementation is solid and covers important IPC mechanisms used by malware. My review includes suggestions to improve performance by optimizing the event deduplication logic across all three signatures, enhancing code readability, and refining a key name for better clarity. These changes will make the signatures more efficient and maintainable.