Determines which accounts a process can use to create a token, and which accounts it can then use to gain access to local resources when the process uses NtCreateToken() or other token-creation APIs.
When a user logs on to the local device or connects to a remote device through a network, Windows builds the user’s access token. Then the system examines the token to determine the level of the user’s privileges. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user’s access token until the next time the user logs on or connects.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Create a token object
SeCreateTokenPrivilege
Privilege Escalation (TA0004), Defense Evasion (TA0005)