{"id":96304,"date":"2019-08-06T09:04:38","date_gmt":"2019-08-06T16:04:38","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=96304"},"modified":"2025-06-06T01:48:06","modified_gmt":"2025-06-06T08:48:06","slug":"the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/","title":{"rendered":"The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land"},"content":{"rendered":"<p>In the <a href=\"https:\/\/securingtomorrow.mcafee.com\/other-blogs\/mcafee-labs\/the-twin-journey-part-1\/\" target=\"_blank\" rel=\"noopener noreferrer\">first<\/a> of this 3-part blog series, we covered the implications of promoting files to \u201cEvil Twins\u201d where they can be created and remain in the system as different entities once case sensitiveness is enabled.<\/p>\n<p>In this 2<sup>nd<\/sup> post we try to abuse applications that do not work well with CS changes, abusing years of \u201cnormalization\u201d assumptions.<\/p>\n<p>It is worth noting that the impact of this change will vary depending on the target folder.<\/p>\n<p>Out of the box, Windows provides a tool to change CS information by invoking the underlying API NtSetFileInformation with FILE_CASE_SENSITIVE_INFORMATION flags.<\/p>\n<p>This tool contains several checks at user-mode level to restrict the target folder but, as usual, it can be easily bypassed using different path combinations. It is possible to create a tool or invoke the API from PowerShell to remove these checks.<\/p>\n<h2>Let us go over the following scenarios:<\/h2>\n<ul>\n<li>Changing ROOT drive CS:\n<ol>\n<li>fsutil restrictions will be bypassed and most of the console will not work unless you specify full paths (mostly due to environment variables broken on case-sensitiveness).<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-96305\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/08\/Iamge-1.png\" alt=\"\" width=\"563\" height=\"166\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Iamge-1.png 563w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Iamge-1-300x88.png 300w\" sizes=\"auto, (max-width: 563px) 100vw, 563px\" \/><\/p>\n<ul>\n<li>Combinations to bypass this check include:\n<ul>\n<li>\\\\?\\C:\\ (by drive letter with long path)<\/li>\n<li>\\\\.\\BootPartition\\\\\u00a0 (by partition)<\/li>\n<li>\\\\?\\Volume{3fb4edf7-edf1-4083-84f8-7fbca215bfee}\\ (volume id)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Change \u201cprotected folders\u201d CS.\n<ol>\n<li>For some folders is not enough to be Administrator, but to have other type of ACL\u2019s instead.<\/li>\n<li>TrustedInstaller has the required permissions to do so and\u2026 you just need Admin permissions to change the service path:<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-96306\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/08\/Image-2.png\" alt=\"\" width=\"760\" height=\"125\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Image-2.png 760w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Image-2-300x49.png 300w\" sizes=\"auto, (max-width: 760px) 100vw, 760px\" \/><\/p>\n<p>If you change Windows folder case sensitiveness by using the same technique, Windows will not boot anymore.<\/p>\n<p>These scenarios introduce new unexpected behaviors in the current applications, like for instance:<\/p>\n<ul>\n<li>There is a folder with CS enabled and two directories with the same name, different case.<\/li>\n<li>Trying to change CS will fail due to \u201cmultiple files\/folders with the same name already exists\u201d check.<\/li>\n<li>Move to recycle bin on one of the folders.<\/li>\n<li>Change CS of the folder.<\/li>\n<li>Restore the deleted file.<\/li>\n<li>The contents of the deleted file overwrite the one originally kept.<\/li>\n<\/ul>\n<h2><strong>Screenshots<\/strong><\/h2>\n<p>Left: Root drive with case sensitive enabled.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-96307\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/08\/Image-3.png\" alt=\"\" width=\"1729\" height=\"705\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Image-3.png 1729w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Image-3-300x122.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Image-3-768x313.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Image-3-1024x418.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Image-3-1226x500.png 1226w\" sizes=\"auto, (max-width: 1729px) 100vw, 1729px\" \/><\/p>\n<p>Right: Program Files CS changed thanks to Trusted Installer ACL. If an application is not considering the proper case, next time it tries to execute a binary whose name may be normalized (to uppercase) it can spawn a different app.<\/p>\n<p>Watch the video recorded by our expert Cedric Cochin illustrating this technique:<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Xy_VSCxZRTc\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<h2>Protection and Detection with McAfee Products<\/h2>\n<ul>\n<li>Products that rely on <a href=\"https:\/\/kc.mcafee.com\/corporate\/index?page=content&amp;id=KB87530\" target=\"_blank\" rel=\"noopener noreferrer\">SysCore<\/a> will protect C:\\ from case sensitive changes<\/li>\n<li><a href=\"https:\/\/kc.mcafee.com\/corporate\/index?page=content&amp;id=KB89677\" target=\"_blank\" rel=\"noopener noreferrer\">Endpoint Security Expert Rules<\/a><\/li>\n<li>Active Response:\n<ul>\n<li>Create a custom collector to query Case sensitiveness of important folders.<\/li>\n<li>Search for fsutil executions (or even History Processes if that collector is part of your Active Response version)\n<ul>\n<li>\u201cProcesses where Processes name equals fsutil.exe\u201d<\/li>\n<\/ul>\n<\/li>\n<li>MVISION EDR:\n<ul>\n<li>Realtime search\n<ul>\n<li>\u201cProcesses where Processes name equals fsutil.exe\u201d<\/li>\n<\/ul>\n<\/li>\n<li>Search for fsutil execution in the historical view<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-96308\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/08\/Image-4.png\" alt=\"\" width=\"1471\" height=\"568\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Image-4.png 1471w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Image-4-300x116.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Image-4-768x297.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Image-4-1024x395.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Image-4-1295x500.png 1295w\" sizes=\"auto, (max-width: 1471px) 100vw, 1471px\" \/><\/p>\n<p>Artifacts involved:<\/p>\n<ul>\n<li>NT attributes change<\/li>\n<li>Fsutil execution<\/li>\n<li>Trusted Installer service changes<\/li>\n<\/ul>\n<p>Outcomes for this technique include:<\/p>\n<ul>\n<li>A ransomware could create C:\\Windows\\SYSTEM32 and cause a BSOD on next restart<\/li>\n<li>Change dll being loaded or an event stops application from starting<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In the first of this 3-part blog series, we covered the implications of promoting files to \u201cEvil Twins\u201d where they&#8230;<\/p>\n","protected":false},"author":1022,"featured_media":96318,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[961,5757],"class_list":["post-96304","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land | McAfee Blog<\/title>\n<meta name=\"description\" content=\"In the first of this 3-part blog series, we covered the implications of promoting files to \u201cEvil Twins\u201d where they can be created and remain in the system\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"In the first of this 3-part blog series, we covered the implications of promoting files to \u201cEvil Twins\u201d where they can be created and remain in the system\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2019-08-06T16:04:38+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-06T08:48:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Labs-thumbnail2.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"2048\" \/>\n\t<meta property=\"og:image:height\" content=\"1152\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Cedric Cochin, Leandro Costantino\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@th3c3dr1c\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Cedric Cochin, Leandro Costantino\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/\"},\"author\":{\"name\":\"Cedric Cochin\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b044ffa5db03819d156d829d845faf8b\"},\"headline\":\"The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land\",\"datePublished\":\"2019-08-06T16:04:38+00:00\",\"dateModified\":\"2025-06-06T08:48:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/\"},\"wordCount\":531,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Labs-thumbnail2.jpeg\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/\",\"name\":\"The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Labs-thumbnail2.jpeg\",\"datePublished\":\"2019-08-06T16:04:38+00:00\",\"dateModified\":\"2025-06-06T08:48:06+00:00\",\"description\":\"In the first of this 3-part blog series, we covered the implications of promoting files to \u201cEvil Twins\u201d where they can be created and remain in the system\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Labs-thumbnail2.jpeg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Labs-thumbnail2.jpeg\",\"width\":2048,\"height\":1152},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b044ffa5db03819d156d829d845faf8b\",\"name\":\"Cedric Cochin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/361651799f45d6484e08abffa5b210bd\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/06\/CC_Blog-150x150.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/06\/CC_Blog-150x150.jpg\",\"caption\":\"Cedric Cochin\"},\"description\":\"Cedric Cochin is a Senior Security Architect, CyberThreat SME; and a Senior Principal Engineer on McAfee\u2019s Future Threat Defense Technologies team. He 20 years of experience in information security. Cochin\u2019s primary mission is to provide expertise to McAfee teams and serve as an expert on cybersecurity threats, understand the threat landscape and technologies to defeat threats, and to guide and facilitate the development of security solutions. He drives innovation and the authoring of proofs of concept to address complex and modern threats.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/cochin\/\",\"https:\/\/x.com\/th3c3dr1c\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/cedric-cochin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land | McAfee Blog","description":"In the first of this 3-part blog series, we covered the implications of promoting files to \u201cEvil Twins\u201d where they can be created and remain in the system","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land | McAfee Blog","og_description":"In the first of this 3-part blog series, we covered the implications of promoting files to \u201cEvil Twins\u201d where they can be created and remain in the system","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2019-08-06T16:04:38+00:00","article_modified_time":"2025-06-06T08:48:06+00:00","og_image":[{"width":2048,"height":1152,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Labs-thumbnail2.jpeg","type":"image\/jpeg"}],"author":"Cedric Cochin, Leandro Costantino","twitter_card":"summary_large_image","twitter_creator":"@th3c3dr1c","twitter_site":"@McAfee","twitter_misc":{"Written by":"Cedric Cochin, Leandro Costantino","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/"},"author":{"name":"Cedric Cochin","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b044ffa5db03819d156d829d845faf8b"},"headline":"The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land","datePublished":"2019-08-06T16:04:38+00:00","dateModified":"2025-06-06T08:48:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/"},"wordCount":531,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Labs-thumbnail2.jpeg","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/","name":"The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Labs-thumbnail2.jpeg","datePublished":"2019-08-06T16:04:38+00:00","dateModified":"2025-06-06T08:48:06+00:00","description":"In the first of this 3-part blog series, we covered the implications of promoting files to \u201cEvil Twins\u201d where they can be created and remain in the system","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Labs-thumbnail2.jpeg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Labs-thumbnail2.jpeg","width":2048,"height":1152},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-twin-journey-part-2-evil-twins-in-a-case-in-sensitive-land\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b044ffa5db03819d156d829d845faf8b","name":"Cedric Cochin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/361651799f45d6484e08abffa5b210bd","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/06\/CC_Blog-150x150.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/06\/CC_Blog-150x150.jpg","caption":"Cedric Cochin"},"description":"Cedric Cochin is a Senior Security Architect, CyberThreat SME; and a Senior Principal Engineer on McAfee\u2019s Future Threat Defense Technologies team. He 20 years of experience in information security. Cochin\u2019s primary mission is to provide expertise to McAfee teams and serve as an expert on cybersecurity threats, understand the threat landscape and technologies to defeat threats, and to guide and facilitate the development of security solutions. He drives innovation and the authoring of proofs of concept to address complex and modern threats.","sameAs":["https:\/\/www.linkedin.com\/in\/cochin\/","https:\/\/x.com\/th3c3dr1c"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/cedric-cochin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/96304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/1022"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=96304"}],"version-history":[{"count":1,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/96304\/revisions"}],"predecessor-version":[{"id":215181,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/96304\/revisions\/215181"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/96318"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=96304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=96304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=96304"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=96304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}