From d6a091be7545dbccce95ceaf5852275d652de176 Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Sat, 9 May 2026 07:43:44 -0400
Subject: [PATCH] fix(ttp/stix): extract commands from both 'command' and
 'command_text' keys

---
 decnet/ttp/stix_export.py                         | 4 ++--
 decnet/web/db/sqlmodel_repo/attackers/activity.py | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/decnet/ttp/stix_export.py b/decnet/ttp/stix_export.py
index b6749f17..dd361b22 100644
--- a/decnet/ttp/stix_export.py
+++ b/decnet/ttp/stix_export.py
@@ -323,9 +323,9 @@ def build_fleet_bundle(
             except Exception:
                 raw_cmds = []
         cmds = [
-            str(e.get("command_text", "")).strip()
+            str(e.get("command_text") or e.get("command") or "").strip()
             for e in raw_cmds
-            if isinstance(e, dict) and e.get("command_text")
+            if isinstance(e, dict) and (e.get("command_text") or e.get("command"))
         ]
 
         intel = row.get("threat_intel")
diff --git a/decnet/web/db/sqlmodel_repo/attackers/activity.py b/decnet/web/db/sqlmodel_repo/attackers/activity.py
index a59d28da..da961a37 100644
--- a/decnet/web/db/sqlmodel_repo/attackers/activity.py
+++ b/decnet/web/db/sqlmodel_repo/attackers/activity.py
@@ -53,7 +53,7 @@ class AttackerActivityMixin(_MixinBase):
             seen: set[str] = set()
             out: list[str] = []
             for entry in commands:
-                text = str(entry.get("command_text", "")).strip()
+                text = str(entry.get("command_text") or entry.get("command") or "").strip()
                 if text and text not in seen:
                     seen.add(text)
                     out.append(text)