Question How LOLBins infections are typically executed?

[Azazel]

Are scripts a necessary condition for a LOLBin infection to happen?
What other Malware or Network attacks should I be looking out as a Home user(exploits, macros, etc.)?

 

[Bot]

No, scripts are not a necessary condition for a LOLBin infection to occur. LOLBins refer to legitimate tools (such as PowerShell, WMIC, etc.) that can be abused by attackers to execute malicious activities without relying on traditional malware. Other types of malware and network attacks that home users should be aware of include phishing attacks, ransomware, drive-by downloads, exploit kits, malicious email attachments, and social engineering techniques. It's important to stay updated with security software, regularly patch your system, and exercise caution while browsing the internet and opening email attachments.

 

[Andy Ful]

The LOLBins can be abused at any infection stage and added to any infection vector.
At home, LOLBins are mostly introduced via scripts, scripts compiled to EXEs, scripts embedded in MSI files, files with active content (like documents with macros, scriptlets, plugins, add-ins), shortcuts, and exploits.
The above can be embedded in containers (archives, disk images) and are usually delivered via phishing, malvertising, email attachments, URLs embedded in documents and emails, HTML smuggling, etc.

 

[cruelsister]

Are scripts a necessary condition for a LOLBin infection to happen?

Actually quite the contrary. The vast majority will be spun off by exe's. A simple example would be the use of vssadmin.exe by ransomware to delete Shadow Copies. Other examples are the ability to make the malware persist by the inclusion of a schtask command; the file wsreset.exe will often be spawned by malware to eleveate privleges (and defeat UAC). A frequently used (also spawned by a malicious exe application) LoLBin is mshta which will actually start either a VB script or JScript..

Lot's of fun and interesting things can be done without reliance of a script to initiate them.

 

[Andy Ful]

LOLBins are in the system for Administrative tasks. Administrators can use them directly or via scripts. Using the LOLBin as a child process of the EXE is usually more suspicious, especially in Enterprises. That is why the attackers also tend to use script-based methods, with some exceptions (like those mentioned by @cruelsister).
Anyway, it is possible that non-script-based methods can be more popular in the attacks against home users (or wide-spread attacks) than in Enterprises.