This detection rule targets suspicious use of PowerShell in combination with `nslookup` to form a download cradle that may retrieve malicious payloads via DNS queries. The rule identifies the execution of `nslookup.exe` with a PowerShell parent process, typically indicative of an adversarial behavior leveraging DNS-based exfiltration or remote code execution techniques. The detection logic focuses first on the image being `nslookup.exe`, with its parent process being either `powershell.exe` or `pwsh.exe`. It checks for command line arguments commonly used to specify text queries in DNS, specifically through the `-q=txt` or `-querytype=txt`, which are indicative of text record queries that can be abused to download payloads.