--- title: "Prevent Cron and At Job Persistence | Security Cookbook" description: "Stop attackers from gaining macOS persistence through cron and at jobs. Workshop file access rules block writes to crontab and at job directories." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/prevent-cron-persistence" --- [Back](https://northpole.security/cookbook) ### Idea Launch Agents and Launch Daemons get all the attention when it comes to macOS persistence. But lurking in the background are two older Unix job schedulers that still work just fine on macOS: `cron` and `at`, which are still used today. Security teams focused on monitoring `/Library/LaunchAgents` might miss a quiet crontab entry in `/private/var/at/` or `/usr/lib/cron/`. Luckily, Workshop and Santa's file access rules can lock these down at the filesystem level. No writes to the crontab directory means no cron persistence. Simple! ### Solutions File AccessBlock Cron and At Persistence Prevent writes to cron and at directories Path Prefixes - • /private/var/at/ - • /usr/lib/cron/ Options Allow Read Access:true Audit Only:false Rule Type:PathsWithAllowedProcesses Custom Message Cron and at job creation is not allowed ### Mitre Attack Tactics [Persistence](https://attack.mitre.org/tactics/TA0003/)[Execution](https://attack.mitre.org/tactics/TA0002/)[Privilege Escalation](https://attack.mitre.org/tactics/TA0004/) Techniques [T1053: Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)[T1053.003: Cron](https://attack.mitre.org/techniques/T1053/003/)[T1053.002: At](https://attack.mitre.org/techniques/T1053/002/) ### Tags cronpersistence ### Deployment Notes This blocks writes to the entire `/private/var/at/` and `/usr/lib/cron` directory trees, covering both cron tabs, at jobs, and related files like `at.allow` and `at.deny`. However, some legitimate software does use cron, like Homebrew updates and cleanup, third-party backup software, and developer automation scripts. Audit your environment before deploying deny rules. If specific tools need cron access, add them as exceptions in the "Processes" array with their signing ID and team ID. ### False Positive Guidance Legitimate tools that may use cron: - Homebrew automatic updates - Backup software - Developer automation scripts - System monitoring tools Audit your environment and add exceptions as needed. ### Resources [Twitter: Cron Still Used TodayTake a look](https://twitter.com/L0Psec/status/1963614996069322898) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)