This detection rule identifies suspicious use of PowerShell for executing a download cradle via nslookup. The method exploits the DNS query method 'nslookup' to fetch encoded payloads from DNS TXT records. The rule detects this behavior by monitoring for specific keywords in PowerShell commands. It checks if commands contain both 'powershell' and 'nslookup', while also filtering for indicators that suggest DNS TXT queries targeting HTTP resources. The detection focuses on command execution within PowerShell, aiming to uncover potentially malicious activities attempting to leverage legitimate PowerShell functionalities for unauthorized payload delivery. This rule is relevant in the context of command and control operations or data exfiltration scenarios.