Commonly Abused Windows Token Privileges: SeCreateTokenPrivilege

SeCreateTokenPrivilege — Create a token object

Determines which accounts a process can use to create a token, and which accounts it can then use to gain access to local resources when the process uses NtCreateToken() or other token-creation APIs.

When a user logs on to the local device or connects to a remote device through a network, Windows builds the user’s access token. Then the system examines the token to determine the level of the user’s privileges. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user’s access token until the next time the user logs on or connects.

GPO Setting Path

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

GPO Setting Name

Create a token object

Token Privilege

SeCreateTokenPrivilege

Associated ATT&CK Tactic(s)

Privilege Escalation (TA0004), Defense Evasion (TA0005)