McAfee Security researcher Cedric Cochin identified the Cortana Elevation of Privilege Vulnerability and it was tracked as CVE-2018-8140.
Cochin says the problem is with Cortana default settings respond to any voice calling “Hey Cortana” from the lock screen which can be abused by the attackers to interact with the operating system even if the computer is locked.
By saying “Hey Cortana” users can bring a contextual menu on the locked device login screen, where users can type to search for files present in the system and the Cortana brings the results from indexed files and applications.
If you have the filename matching it shows the file location and if the content matches it presents the content itself.
Attackers can use these methods to execute dropped payload on the system as an administrator by just right-click on the file and “Run as administrator“.
Researchers used simple PowerShell command to execute the code that presents in the USB drive to bypass the policy and to reset the password to log in with the windows10 machine.