While investigating a compromised network, we found suspicious PowerShell code that ran on a domain controller. The script downloaded a file called chrome_installer.exe and installed it.

We checked the file and found it was signed by Google, so it’s a genuine Chrome installer. We searched for snippets from the code online and found the exact same script on a website titled "Install Chrome on Windows Server."

So basically, an (domain) administrator copied some random PowerShell script from a random site on the Internet and ran it - on a domain controller!

What could possibly go wrong? 🤯