ION28 · ION28 · Mar 31, 2026 · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: [ION28]
diff --git a/.github/workflows/cloud-web.yml b/.github/workflows/cloud-web.yml
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -25,12 +25,10 @@ jobs:
     - name: Update submodules
       run: git submodule update --init --recursive
 
-    - name: Restore from cache, and install vcpkg and project dependencies
-      uses: lukka/run-vcpkg@v6
+    - name: Setup vcpkg environment
+      uses: lukka/run-vcpkg@v11
       with:
-        vcpkgArguments: '@../vcpkg_response_file.txt'
-        vcpkgDirectory: 'vcpkg'
-        appendedCacheKey: ${{ hashFiles(env.vcpkgResponseFile) }}
+        vcpkgDirectory: '${{ github.workspace }}/vcpkg'
 
     - name: Integrate vcpkg packages
       shell: powershell
@@ -39,10 +37,12 @@ jobs:
         .\vcpkg.exe integrate install
         cd ..
 
+    - name: Setup MSBuild
+      uses: microsoft/setup-msbuild@v2
+
     - name: Build BLUESPAWN-client
-      run: |
-        "%ProgramFiles(x86)%\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin\MSBuild.exe" BLUESPAWN.sln /p:Configuration=${{ matrix.buildtype }} /p:Platform=${{ matrix.buildarch }}
       shell: cmd
+      run: msbuild BLUESPAWN.sln /p:Configuration=${{ matrix.buildtype }} /p:Platform=${{ matrix.buildarch }} /p:VcpkgEnableManifest=true /p:VcpkgManifestDir=${{ github.workspace }}
 
     - name: Set PowerShell Execution Policy
       run: powershell set-executionpolicy Unrestricted

diff --git a/BLUESPAWN-win-client/BLUESPAWN-client.vcxproj b/BLUESPAWN-win-client/BLUESPAWN-client.vcxproj
@@ -287,7 +287,7 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="PropertySheets">

diff --git a/BLUESPAWN-win-client/headers/hunt/hunts/HuntT1484.h b/BLUESPAWN-win-client/headers/hunt/hunts/HuntT1484.h
@@ -12,6 +12,8 @@ namespace Hunts {
 	public:
 		HuntT1484();
 
+		void Subtechnique001(IN CONST Scope& scope, OUT std::vector<std::shared_ptr<Detection>>& detections);
+
 		virtual std::vector<std::shared_ptr<Detection>> RunHunt(const Scope& scope) override;
 		virtual std::vector<std::pair<std::unique_ptr<Event>, Scope>> GetMonitoringEvents() override;
 	};

diff --git a/BLUESPAWN-win-client/headers/monitor/EventListener.h b/BLUESPAWN-win-client/headers/monitor/EventListener.h
@@ -5,6 +5,7 @@
 #include <vector>
 #include <map>
 #include <thread>
+#include <algorithm>
 
 #include "util/wrappers.hpp"
 

diff --git a/BLUESPAWN-win-client/libpeconv.vcxproj b/BLUESPAWN-win-client/libpeconv.vcxproj
@@ -53,7 +53,7 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="PropertySheets">

diff --git a/BLUESPAWN-win-client/pe-sieve.vcxproj b/BLUESPAWN-win-client/pe-sieve.vcxproj
diff --git a/BLUESPAWN-win-client/src/hunt/hunts/HuntT1036.cpp b/BLUESPAWN-win-client/src/hunt/hunts/HuntT1036.cpp
@@ -17,7 +17,7 @@ namespace Hunts {
     }
 
     void HuntT1036::Subtechnique005(IN CONST Scope& scope, OUT std::vector<std::shared_ptr<Detection>>& detections) {
-        SUBTECHNIQUE_INIT(005, Match Legitimate Name or Location);
+        SUBTECHNIQUE_INIT(005, Match Legitimate Resource Name or Location);
 
         SUBSECTION_INIT(SEARCH_WRITABLE, Intensive);
         for(auto folder : writableFolders) {

diff --git a/BLUESPAWN-win-client/src/hunt/hunts/HuntT1070.cpp b/BLUESPAWN-win-client/src/hunt/hunts/HuntT1070.cpp
@@ -12,7 +12,7 @@
 
 namespace Hunts {
 
-    HuntT1070::HuntT1070() : Hunt(L"T1070 - Indicator Removal on Host") {
+    HuntT1070::HuntT1070() : Hunt(L"T1070 - Indicator Removal") {
         dwCategoriesAffected = (DWORD) Category::Files | (DWORD) Category::Processes;
         dwSourcesInvolved = (DWORD) DataSource::EventLogs;
         dwTacticsUsed = (DWORD) Tactic::DefenseEvasion;

diff --git a/BLUESPAWN-win-client/src/hunt/hunts/HuntT1484.cpp b/BLUESPAWN-win-client/src/hunt/hunts/HuntT1484.cpp
@@ -9,15 +9,15 @@
 
 namespace Hunts {
 
-    HuntT1484::HuntT1484() : Hunt(L"T1484 - Group Policy Modification") {
+    HuntT1484::HuntT1484() : Hunt(L"T1484 - Domain or Tenant Policy Modification") {
         dwCategoriesAffected = (DWORD) Category::Files;
         dwSourcesInvolved = (DWORD) DataSource::FileSystem | (DWORD) DataSource::GPO;
         dwTacticsUsed = (DWORD) Tactic::DefenseEvasion;
     }
 
-    std::vector<std::shared_ptr<Detection>> HuntT1484::RunHunt(const Scope& scope) {
-        HUNT_INIT();
-
+    void HuntT1484::Subtechnique001(IN CONST Scope& scope, OUT std::vector<std::shared_ptr<Detection>>& detections) {
+        SUBTECHNIQUE_INIT(001, Group Policy Modification);
+        
         SUBSECTION_INIT(NTUSER_MAN, Normal)
         auto userFolders = FileSystem::Folder(L"C:\\Users").GetSubdirectories(1);
         for(auto userFolder : userFolders) {
@@ -28,6 +28,14 @@ namespace Hunts {
         }
         SUBSECTION_END();
 
+        SUBTECHNIQUE_END();
+    }
+
+    std::vector<std::shared_ptr<Detection>> HuntT1484::RunHunt(const Scope& scope) {
+        HUNT_INIT();
+
+        Subtechnique001(scope, detections);
+
         HUNT_END();
     }
 

diff --git a/BLUESPAWN-win-client/src/hunt/hunts/HuntT1569.cpp b/BLUESPAWN-win-client/src/hunt/hunts/HuntT1569.cpp
@@ -17,7 +17,7 @@ using namespace Registry;
 #define REGISTRY_SERVICES 0
 
 namespace Hunts {
-    HuntT1569::HuntT1569() : Hunt(L"T1569 - Service Execution") {
+    HuntT1569::HuntT1569() : Hunt(L"T1569 - System Services") {
         dwCategoriesAffected = (DWORD) Category::Configurations | (DWORD) Category::Files | (DWORD) Category::Processes;
         dwSourcesInvolved = (DWORD) DataSource::Registry | (DWORD) DataSource::FileSystem;
         dwTacticsUsed = (DWORD) Tactic::Execution;

diff --git a/BLUESPAWN-win-client/src/user/BLUESPAWN.cpp b/BLUESPAWN-win-client/src/user/BLUESPAWN.cpp
@@ -538,7 +538,7 @@ int main(int argc, char* argv[]) {
         }
 
         bluespawn.Run();
-    } catch(cxxopts::OptionParseException e1) {
+    } catch(const cxxopts::exceptions::exception& e1) {
         Bluespawn::io.InformUser(StringToWidestring(options.help()));
         LOG_ERROR(e1.what());
     }

diff --git a/BLUESPAWN-win-client/src/util/eventlogs/EventLogs.cpp b/BLUESPAWN-win-client/src/util/eventlogs/EventLogs.cpp
@@ -224,7 +224,7 @@ namespace EventLogs {
 
         // Open the channel config
         EventWrapper hChannel{ EvtOpenChannelConfig(NULL, channel.c_str(), 0) };
-        if(NULL == hChannel) {
+        if(hChannel == nullptr) {
             LOG_ERROR(L"EventLogs::IsChannelOpen: EvtOpenChannelConfig failed with " + std::to_wstring(GetLastError()) +
                       L" for channel " + channel);
             return false;
@@ -257,10 +257,13 @@ namespace EventLogs {
                 return false;
             }
         }
-        if(pProperty)
+        bool isEnabled = false;
+        if(pProperty) {
+            isEnabled = pProperty->BooleanVal;
             free(pProperty);
+        }
 
-        return pProperty->BooleanVal;
+        return isEnabled;
     }
 
     bool OpenChannel(const std::wstring& channel) {