|Data Sources||File monitoring, Process Monitoring|
Per Apple’s developer documentation, there are two supported methods for creating periodic background jobs: launchd and cron1.
Each Launchd job is described by a different configuration property list (plist) file similar to Launch Daemons or Launch Agents, except there is an additional key called
StartCalendarInterval with a dictionary of time values 1. This only works on macOS and OS X.
System-wide cron jobs are installed by modifying
/etc/crontab while per-user cron jobs are installed using crontab with specifically formatted crontab files 1. This works on Mac and Linux systems.
Both methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence234, to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account.
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized users can create scheduled tasks. Identify and block unnecessary system utilities or potentially malicious software that may be used to schedule tasks using whitelisting tools.
Legitimate scheduled jobs may be created during installation of new software or through administration functions. Tasks scheduled with launchd and cron can be monitored from their respective utilities to list out detailed information about the jobs. Monitor process execution resulting from launchd and cron tasks to look for unusual or unknown applications and behavior.