Bounty — Active Directory Password Security & Compliance

Bounty is a Windows-Native Active Directory password security and compliance platform. It continuously scans AD environments for weak, breached, reused, and policy-violating passwords, then provides automated remediation through forced resets, alerting, and SIEM integration. Built with Go and Wails (React-TS frontend), Bounty runs as a desktop application with a companion Windows service that handles encrypted database operations via gRPC.

What Bounty Does

Bounty covers the full lifecycle of AD password security:

Capability	Description
Breached Password Detection	Compares AD password hashes against known breach databases to identify compromised credentials
Password Reuse Detection	Identifies accounts sharing the same password hash across the domain
AS-REP Roasting Detection	Finds accounts with Kerberos pre-authentication disabled (vulnerable to offline cracking)
Kerberoasting Detection	Identifies service accounts with SPNs that can be targeted for offline ticket cracking
Pre-Windows 2000 Account Detection	Finds legacy accounts with predictable default passwords
SPN Management	Enumerates and manages Service Principal Names across the domain
ADCS Assessment	Evaluates Active Directory Certificate Services for misconfigurations
Password Policy Enforcement	Configurable policies per domain, group, OU, and SPN type
Automated Remediation	Force password resets, disable accounts, or alert administrators
SIEM Integration	Real-time event forwarding to Splunk, Elastic, Sentinel, QRadar, Wazuh, ArcSight, Huntress

Feature Overview

Security Scans

Breached passwords, reuse detection, AS-REP roasting, Kerberoasting, Pre-2K accounts

Architecture

Wails desktop app, encrypted gRPC database service, DPAPI key management

Quick Start

Requirements

Windows 10/11 or Windows Server 2016+
Domain-joined machine or credentials with read access to AD
Local administrator (for service installation)

Installation

# Run the Bounty installer
.\Bounty-Setup.exe

On first launch, Bounty:

Creates the secure data directory at %LOCALAPPDATA%\Bounty
Generates an encryption key protected by Windows DPAPI
Installs the Bounty database service (gRPC over mTLS)
Generates a TLS key pair for service communication
Prompts for AD credentials to begin scanning

First Scan

Authenticate with domain credentials (username, password, domain FQDN)
Select the scan types to run from the dashboard
Review findings in the affected users tables
Configure policies and automated remediation

Architecture Overview

+--------------------------------------------------+
|              Bounty Desktop (Wails)               |
|                                                   |
|  +-------------+  +---------------------------+   |
|  |  React-TS   |  |     Go Backend            |   |
|  |  Frontend   |◄-|  (AD scans, analysis,     |   |
|  |             |  |   policy enforcement)      |   |
|  +-------------+  +---------------------------+   |
|                         |                         |
|                    gRPC (mTLS)                     |
|                         |                         |
|  +--------------------------------------------------+
|  |          Bounty Database Service                  |
|  |  (BadgerDB, DPAPI-encrypted, Windows Service)     |
|  +--------------------------------------------------+
|                         |
|                    LDAP / ADWS                     |
|                         |
|  +--------------------------------------------------+
|  |           Active Directory                        |
|  |  (Domain Controllers, Users, Groups, SPNs)        |
|  +--------------------------------------------------+

Scan Types

Scan	Detection	Remediation
Breached Passwords	Compare NT hashes against breach databases (NTDS.dit extraction via DCSync or RPC)	Force password reset, alert, notify user
Password Reuse	Group accounts by identical password hash	Alert, force unique passwords
AS-REP Roasting	Find accounts with `DONT_REQUIRE_PREAUTH` flag	Remove flag or alert with privileged user distinction
Kerberoasting	Find accounts with SPNs (request TGS tickets for offline cracking)	Alert, rotate SPN credentials
Pre-Windows 2000	Find accounts in the Pre-Windows 2000 Compatible Access group	Change password, alert
SPN Enumeration	List all Service Principal Names in the domain	Filter, manage, notify
ADCS Assessment	Evaluate certificate templates for ESC1–ESC16 vulnerabilities	Alert, report

Group and OU Management

Bounty supports a three-tier targeting system for groups and OUs:

State	Behavior
Targeted (1 click)	Group/OU is included in breach scans and remediation
Alert Only (2 clicks)	Group/OU is excluded from breach scans but alerts are sent
Excluded (3 clicks)	Group/OU is excluded from all scans entirely

This allows granular control over which parts of the directory are actively scanned and which are monitored passively.

SIEM Integration

Bounty forwards scan events and findings to SIEM platforms in real-time:

Platform	Status
Splunk	Supported
Elastic	Supported
Microsoft Sentinel	Supported
IBM QRadar	Supported
Wazuh	Supported
ArcSight	Supported
Huntress	Supported
Custom	Configurable webhook/syslog endpoint

Security Model

Layer	Protection
Encryption key	Windows DPAPI — key is bound to the machine and user, stored in `%PROGRAMDATA%\Bounty\svc.enc`
Database	BadgerDB with encryption at rest, accessed only through the Windows service
Service communication	gRPC over mTLS with auto-generated certificates
Credential handling	AD credentials used for LDAP/RPC only, never stored in the database
Tracking	Accounts tracked by SID (not name) to survive renames
Licensing	HWID-bound license validation via KrakenTech API

​Bounty — Active Directory Password Security & Compliance

​What Bounty Does

​Feature Overview

Security Scans

Architecture

​Quick Start

​Requirements

​Installation

​First Scan

​Architecture Overview

​Scan Types

​Group and OU Management

​SIEM Integration

​Security Model