Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0650: Detection of Symmetric Cryptography

DET0650 is a mobile ATT&CK detection strategy associated with identifying use of symmetric cryptography in command-and-control concealment. The business si...

MobileDET0650Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0650 is a mobile ATT&CK detection strategy associated with identifying use of symmetric cryptography in command-and-control concealment. The business significance is that encrypted mobile C2 can reduce visibility for SOC and incident response teams: traffic may look opaque even when the app or device is communicating with adversary infrastructure. For leaders, this is less about banning encryption and more about verifying whether mobile security monitoring can distinguish normal app encryption from suspicious cryptographic behavior tied to Android or iOS threats.

Executive priority

Prioritize this as a visibility and response-readiness issue for mobile environments. Executives and risk owners should ask whether mobile device telemetry, network monitoring, and incident response playbooks can support investigations when an app uses algorithms such as AES, Blowfish, or RC4 to conceal C2 traffic. This can affect business continuity, compliance evidence, and incident decision-making because encrypted traffic may limit content inspection and shift reliance toward endpoint, app, metadata, and behavioral evidence.

Technical view

The supplied ATT&CK object provides no official detection text and no platform field on the detection strategy itself. Its relationship indicates it detects T1521.001, Symmetric Cryptography, in the mobile domain, with related platforms Android and iOS. SOC and detection engineering teams should therefore validate whether mobile telemetry can expose suspicious use of known symmetric algorithms, unusual encrypted network sessions, app-level cryptographic API usage where available, and supporting behavioral context. Detection should not treat symmetric encryption alone as malicious; it should be correlated with suspicious destinations, abnormal app behavior, command-and-control patterns, device compromise indicators, or untrusted applications.

Likely telemetry

  • Mobile device management or mobile threat defense events for Android and iOS devices
  • Network metadata for mobile traffic, including destination, frequency, session timing, and volume
  • DNS, proxy, VPN, or secure web gateway logs associated with mobile devices where available
  • Application inventory, signing, provenance, and reputation data
  • Endpoint or mobile security telemetry that can surface suspicious app behavior or cryptographic library/API use where supported

Detection direction

  • Validate that mobile monitoring does not depend solely on decrypting traffic content, because the related technique specifically concerns adversary-controlled symmetric encryption of C2 traffic.
  • Tune detections to combine cryptographic indicators with behavioral and network context; common legitimate mobile apps use symmetric encryption, so algorithm presence alone is a high false-positive signal.
  • Check coverage separately for Android and iOS, because the related technique lists both platforms and telemetry depth commonly differs by operating system, device ownership model, and management controls.
  • Look for blind spots where personal devices, unmanaged mobile apps, encrypted DNS/VPN use, or limited mobile EDR/MTD deployment prevent correlation between app behavior and network activity.
  • Use the relationship to T1521.001 as context for hunting C2 concealment, not as proof of compromise without local supporting evidence.

Mitigation priorities

  • Establish mobile asset and app visibility first, including managed device inventory and approved application baselines.
  • Ensure mobile security monitoring, network logging, and incident response collection can preserve metadata and app context when payload inspection is not possible.
  • Apply least-privilege and mobile application control policies where appropriate, focusing on untrusted or sideloaded apps and risky app provenance.
  • Build response procedures for suspected encrypted mobile C2 that include device isolation, app removal or containment, forensic preservation, and user impact assessment.
  • Use compliance and audit activities to document what mobile telemetry is collected, retained, and reviewable during investigations.
Analyst notes and limits

This take is based on the DET0650 detection strategy object and its stated relationship to T1521.001, Symmetric Cryptography. Because the official detection strategy has no description, no official detection text, and no explicit platforms, the practical guidance is intentionally framed around validation questions and telemetry classes rather than specific analytic logic.

The source object is sparse. ATT&CK does not provide DET0650 detection details in the supplied fields, and no active exploitation, attribution, impact, or guaranteed detection coverage is stated. Local device management model, mobile telemetry availability, network architecture, and app inventory are required to determine actual coverage.

Official MITRE ATT&CK definition

Detection of Symmetric Cryptography

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1521.001 Symmetric Cryptography Sub-technique This object detects Symmetric Cryptography.
Relationship explorer

All related ATT&CK context

detects · Technique T1521.001: Symmetric Cryptography Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7c1c6dc516f20185...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7c1c6dc516f2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0650
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use