I can’t share all the meta, but might be able to provide a redacted snippet, any suggestion what meta to include?
that being said, I have looked through all the meta during the time period I ran the command. I couldn’t find anything in the investigate module that would suggest it monitored this activity
when you say that you suspect it’s because you’re expected lsass.exe do you mean the exe itself being executed? I would’ve thought the use of rundll32 would trigger because there is other meta that reference rundll32