EventLog/Get-SysmonAccessMask.ps1

function Get-SysmonAccessMask {
    <#
    .SYNOPSIS
        Get the list of privileges for a given Sysmon Process Access Mask or get a mask for a given list.
    .DESCRIPTION
        Get the list of privileges for a given Sysmon Process Access Mask or get a mask for a given list.
    .EXAMPLE
        PS C:\> Get-SysmonAccessMask -AccessMask 0x418
        PROCESS_QUERY_INFORMATION
        PROCESS_VM_OPERATION
        PROCESS_VM_READ
        For a given access mask return a list of access rights.
    .EXAMPLE
        PS C:\> Get-SysmonAccessMask -AccessRight PROCESS_VM_READ,PROCESS_VM_OPERATION,PROCESS_QUERY_INFORMATION
        0x418
        For a list of access rights return an access mask for use in Sysmon filtering.
    .INPUTS
        Inputs (if any)
    .OUTPUTS
        String
        String[]
    .NOTES
        General notes
    #>

    [CmdletBinding(DefaultParameterSetName = 'Mask')]
    param (
        # Acces mask names.
        [Parameter(Mandatory=$true,
            ParameterSetName='Access')]
        [ValidateSet("PROCESS_CREATE_PROCESS", "PROCESS_CREATE_THREAD", "PROCESS_DUP_HANDLE","PROCESS_SET_INFORMATION",
        "PROCESS_SET_QUOTA", "PROCESS_QUERY_LIMITED_INFORMATION", "PROCESS_QUERY_INFORMATION", "PROCESS_SUSPEND_RESUME",
        "PROCESS_TERMINATE", "PROCESS_VM_OPERATION", "PROCESS_VM_READ", "PROCESS_VM_WRITE", "SYNCHRONIZE", "PROCESS_SET_LIMITED_INFORMATION")]
        [string[]]
        $AccessRight,

        # Access mask
        [Parameter(Mandatory = $true,
        ParameterSetName = 'Mask')]
        [Int32]
        $AccessMask
        
    )
    
    begin {
        $ProcessPermissions = @{
            "PROCESS_CREATE_PROCESS" = 0x0080
            "PROCESS_CREATE_THREAD" = 0x0002
            "PROCESS_DUP_HANDLE" = 0x0040
            "PROCESS_SET_INFORMATION" = 0x0200
            "PROCESS_SET_QUOTA" = 0x0100
            "PROCESS_QUERY_LIMITED_INFORMATION" = 0x1000
            "PROCESS_QUERY_INFORMATION" = 0x0400
            "PROCESS_SUSPEND_RESUME" = 0x0800
            "PROCESS_TERMINATE" = 0x0001
            "PROCESS_VM_OPERATION" = 0x0008
            "PROCESS_VM_READ" = 0x0010
            "PROCESS_VM_WRITE" = 0x0020
            "SYNCHRONIZE" = 0x00100000
            "PROCESS_SET_LIMITED_INFORMATION" = 0x2000
        }
    }
    
    process {
        switch ($pscmdlet.ParameterSetName) {
            'Mask' { 
                $mask_values = @()
                foreach($m in $ProcessPermissions.keys){
                    if($ProcessPermissions[$m] -band  $AccessMask){
                        $mask_values += $m
                    }
                }
                $mask_values 
            }

            'Access' {
                $mask = 0
                foreach($access in $AccessRight) {
                    $mask = $mask -bor $ProcessPermissions[$access]
                }
                "0x$([Convert]::ToString($mask, 16))"
            }
        }
    }
    
    end {
    }
}