diff --git a/decnet/ttp/stix_export.py b/decnet/ttp/stix_export.py
index b6749f17..dd361b22 100644
--- a/decnet/ttp/stix_export.py
+++ b/decnet/ttp/stix_export.py
@@ -323,9 +323,9 @@ def build_fleet_bundle(
             except Exception:
                 raw_cmds = []
         cmds = [
-            str(e.get("command_text", "")).strip()
+            str(e.get("command_text") or e.get("command") or "").strip()
             for e in raw_cmds
-            if isinstance(e, dict) and e.get("command_text")
+            if isinstance(e, dict) and (e.get("command_text") or e.get("command"))
         ]
 
         intel = row.get("threat_intel")
diff --git a/decnet/web/db/sqlmodel_repo/attackers/activity.py b/decnet/web/db/sqlmodel_repo/attackers/activity.py
index a59d28da..da961a37 100644
--- a/decnet/web/db/sqlmodel_repo/attackers/activity.py
+++ b/decnet/web/db/sqlmodel_repo/attackers/activity.py
@@ -53,7 +53,7 @@ class AttackerActivityMixin(_MixinBase):
             seen: set[str] = set()
             out: list[str] = []
             for entry in commands:
-                text = str(entry.get("command_text", "")).strip()
+                text = str(entry.get("command_text") or entry.get("command") or "").strip()
                 if text and text not in seen:
                     seen.add(text)
                     out.append(text)