Merge PR #5088 from @frack113 - Remove custom dedicated hash fields f…

…rom sigmac update: GALLIUM IOCs - remove custom dedicated hash fields update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields update: HackTool Named File Stream Created - remove custom dedicated hash fields update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields update: PUA - System Informer Driver Load - remove custom dedicated hash fields update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields update: WinDivert Driver Load - remove custom dedicated hash fields update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields update: Hacktool Execution - Imphash - remove custom dedicated hash fields update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields update: HackTool - Impersonate Execution - remove custom dedicated hash fields update: HackTool - LocalPotato Execution - remove custom dedicated hash fields update: HackTool - PCHunter Execution - remove custom dedicated hash fields update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields update: HackTool - Stracciatella Execution - remove custom dedicated hash fields update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields update: MpiExec Lolbin - remove custom dedicated hash fields update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields update: PUA - Nimgrab Execution - remove custom dedicated hash fields update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields update: PUA - Process Hacker Execution - remove custom dedicated hash fields update: PUA - System Informer Execution - remove custom dedicated hash fields update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields update: Renamed AdFind Execution - remove custom dedicated hash fields update: Renamed AutoIt Execution - remove custom dedicated hash fields update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields update: Renamed PAExec Execution - remove custom dedicated hash fields update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
SigmaHQ · Nov 25, 2024 · d804e9c · d804e9c
1 parent d0e4e78
commit d804e9c
Show file tree

Hide file tree

Showing 45 changed files with 380 additions and 885 deletions.
diff --git a/deprecated/windows/driver_load_win_mal_poortry_driver.yml b/deprecated/windows/driver_load_win_mal_poortry_driver.yml
@@ -42,28 +42,6 @@ detection:
             - 'MD5=0f16a43f7989034641fd2de3eb268bf1'
             - 'MD5=ee6b1a79cb6641aa44c762ee90786fe0'
             - 'MD5=909f3fc221acbe999483c87d9ead024a'
-    selection_hash:
-        - sha256:
-            - '0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc'
-            - '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c'
-            - '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104'
-            - 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c'
-            - '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4'
-            - 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497'
-        - sha1:
-            - '31cc8718894d6e6ce8c132f68b8caaba39b5ba7a'
-            - 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d'
-            - '6debce728bcff73d9d1d334df0c6b1c3735e295c'
-            - 'cc65bf60600b64feece5575f21ab89e03a728332'
-            - '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e'
-            - 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98'
-        - md5:
-            - '10f3679384a03cb487bda9621ceb5f90'
-            - '04a88f5974caa621cee18f34300fc08a'
-            - '6fcf56f6ca3210ec397e55f727353c4a'
-            - '0f16a43f7989034641fd2de3eb268bf1'
-            - 'ee6b1a79cb6641aa44c762ee90786fe0'
-            - '909f3fc221acbe999483c87d9ead024a'
     condition: 1 of selection*
 falsepositives:
     - Legitimate BIOS driver updates (should be rare)

diff --git a/deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml b/deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml
@@ -19,16 +19,12 @@ detection:
             - 'MD5=a179c4093d05a3e1ee73f6ff07f994aa'
             - 'SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4'
             - 'SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1'
-    selection_other:
-        - md5: 'a179c4093d05a3e1ee73f6ff07f994aa'
-        - sha1: '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4'
-        - sha256: '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1'
     driver_img:
         ImageLoaded|endswith: '\aswArPot.sys'
     driver_status:
         - Signed: 'false'
         - SignatureStatus: Expired
-    condition: 1 of selection* or all of driver_*
+    condition: selection_sysmon or all of driver_*
 falsepositives:
     - Unknown
 level: high
diff --git a/deprecated/windows/driver_load_win_vuln_dell_driver.yml b/deprecated/windows/driver_load_win_vuln_dell_driver.yml
@@ -26,16 +26,6 @@ detection:
             - 'SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25'
             - 'MD5=C996D7971C49252C582171D9380360F2'
             - 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244'
-    selection_hash:
-        - sha256:
-            - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
-            - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
-        - sha1:
-            - 'c948ae14761095e4d76b55d9de86412258be7afd'
-            - '10b30bdee43b3a2ec4aa63375577ade650269d25'
-        - md5:
-            - 'c996d7971c49252c582171d9380360f2'
-            - 'd2fd132ab7bbc6bbb87a84f026fa0244'
     condition: 1 of selection*
 falsepositives:
     - Legitimate BIOS driver updates (should be rare)

diff --git a/deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml b/deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml
@@ -18,25 +18,15 @@ logsource:
     product: windows
     category: driver_load
 detection:
-    selection_sysmon:
+    selection:
         Hashes|contains:
             - 'MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3'
             - 'MD5=C832A4313FF082258240B61B88EFA025'
             - 'SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39'
             - 'SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46'
             - 'SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427'
             - 'SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B'
-    selection_other:
-        - md5:
-            - '9ab9f3b75a2eb87fafb1b7361be9dfb3'
-            - 'c832a4313ff082258240b61b88efa025'
-        - sha1:
-            - 'fe10018af723986db50701c8532df5ed98b17c39'
-            - '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46'
-        - sha256:
-            - '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427'
-            - 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b'
-    condition: 1 of selection*
+    condition: selection
 falsepositives:
     - Unknown
 level: high
diff --git a/deprecated/windows/driver_load_win_vuln_hw_driver.yml b/deprecated/windows/driver_load_win_vuln_hw_driver.yml
@@ -28,19 +28,6 @@ detection:
             - 'MD5=3247014BA35D406475311A2EAB0C4657'
             - 'MD5=376B1E8957227A3639EC1482900D9B97'
             - 'MD5=45C2D133D41D2732F3653ED615A745C8'
-    selection_other:
-        - sha256:
-            - '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8'
-            - '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa'
-            - '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5'
-        - sha1:
-            - '74e4e3006b644392f5fcea4a9bae1d9d84714b57'
-            - '18f34a0005e82a9a1556ba40b997b0eae554d5fd'
-            - '4e56e0b1d12664c05615c69697a2f5c5d893058a'
-        - md5:
-            - '3247014ba35d406475311a2eab0c4657'
-            - '376b1e8957227a3639ec1482900d9b97'
-            - '45c2d133d41d2732f3653ed615a745c8'
     condition: 1 of selection*
 falsepositives:
     - Unknown

diff --git a/deprecated/windows/driver_load_win_vuln_lenovo_driver.yml b/deprecated/windows/driver_load_win_vuln_lenovo_driver.yml
@@ -16,16 +16,12 @@ logsource:
     category: driver_load
     product: windows
 detection:
-    selection_sysmon:
+    selection:
         Hashes|contains:
             - 'SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE'
             - 'SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F'
             - 'MD5=B941C8364308990EE4CC6EADF7214E0F'
-    selection_hash:
-        - sha256: 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe'
-        - sha1: 'b89a8eef5aeae806af5ba212a8068845cafdab6f'
-        - md5: 'b941c8364308990ee4cc6eadf7214e0f'
-    condition: 1 of selection*
+    condition: selection
 falsepositives:
     - Legitimate driver loads (old driver that didn't receive an update)
 level: high
diff --git a/deprecated/windows/proc_creation_win_apt_gallium.yml b/deprecated/windows/proc_creation_win_apt_gallium.yml
@@ -25,7 +25,7 @@ detection:
             - ':\Program Files(x86)\'
             - ':\Program Files\'
     legitimate_executable:
-        sha1: 'e570585edc69f9074cb5e8a790708336bd45ca0f'
+        Hashes|contains: 'SHA1=e570585edc69f9074cb5e8a790708336bd45ca0f'
     condition: legitimate_executable and not legitimate_process_path
 falsepositives:
     - Unknown

diff --git a/deprecated/windows/proc_creation_win_renamed_paexec.yml b/deprecated/windows/proc_creation_win_renamed_paexec.yml
@@ -21,11 +21,6 @@ logsource:
 detection:
     selection:
         - Product|contains: 'PAExec'
-        - Imphash:
-            - 11D40A7B7876288F919AB819CC2D9802
-            - 6444f8a34e99b8f7d9647de66aabe516
-            - dfd6aa3f7b2b1035b76b718f1ddc689f
-            - 1a6cca4d5460b1710a12dea39e4a592c
         - Hashes|contains:
             - IMPHASH=11D40A7B7876288F919AB819CC2D9802
             - IMPHASH=6444f8a34e99b8f7d9647de66aabe516

diff --git a/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml b/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml
@@ -7,7 +7,7 @@ references:
     - https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml
 author: Tim Burrell
 date: 2020-02-07
-modified: 2023-03-09
+modified: 2024-11-23
 tags:
     - attack.credential-access
     - attack.command-and-control
@@ -19,7 +19,7 @@ logsource:
     product: windows
     category: process_creation
 detection:
-    selection_sysmon:
+    selection:
         Hashes|contains:
             - 'SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'
             - 'SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b'
@@ -59,48 +59,7 @@ detection:
             - 'SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f'
             - 'SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de'
             - 'SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
-    selection_hashes:
-        - sha256:
-              - '9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'
-              - '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b'
-              - '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5'
-              - '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29'
-              - '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77'
-              - 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3'
-              - '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022'
-              - '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883'
-              - '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e'
-              - '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7'
-              - 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1'
-              - '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c'
-              - '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945'
-              - '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9'
-              - '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79'
-              - '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf'
-              - '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08'
-              - '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef'
-              - '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070'
-        - sha1:
-              - '53a44c2396d15c3a03723fa5e5db54cafd527635'
-              - '9c5e496921e3bc882dc40694f1dcc3746a75db19'
-              - 'aeb573accfd95758550cf30bf04f389a92922844'
-              - '79ef78a797403a4ed1a616c68e07fff868a8650a'
-              - '4f6f38b4cec35e895d91c052b1f5a83d665c2196'
-              - '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
-              - 'e841a63e47361a572db9a7334af459ddca11347a'
-              - 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
-              - '2e94b305d6812a9f96e6781c888e48c7fb157b6b'
-              - 'dd44133716b8a241957b912fa6a02efde3ce3025'
-              - '8793bf166cb89eb55f0593404e4e933ab605e803'
-              - 'a39b57032dbb2335499a51e13470a7cd5d86b138'
-              - '41cc2b15c662bc001c0eb92f6cc222934f0beeea'
-              - 'd209430d6af54792371174e70e27dd11d3def7a7'
-              - '1c6452026c56efd2c94cea7e0f671eb55515edb0'
-              - 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
-              - '4923d460e22fbbf165bbbaba168e5a46b8157d9f'
-              - 'f201504bd96e81d0d350c3a8332593ee1c9e09de'
-              - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
-    condition: 1 of selection_*
+    condition: selection
 falsepositives:
     - Unknown
 level: high
diff --git a/...-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml b/...-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml
@@ -21,14 +21,15 @@ references:
     - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-03-31
+modified: 2024-11-23
 tags:
     - attack.defense-evasion
     - detection.emerging-threats
 logsource:
     category: image_load
     product: windows
 detection:
-    selection_hashes_1:
+    selection:
         Hashes|contains:
             # ffmpeg.dll
             - 'SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896'
@@ -46,23 +47,7 @@ detection:
             - 'SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423'
             - 'SHA1=3B3E778B647371262120A523EB873C20BB82BEAF'
             - 'MD5=7FAEA2B01796B80D180399040BB69835'
-    selection_hashes_2:
-        - sha256:
-              - '7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896'
-              - '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03'
-              - 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952'
-              - '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423'
-        - sha1:
-              - 'BF939C9C261D27EE7BB92325CC588624FCA75429'
-              - '20D554A80D759C50D6537DD7097FED84DD258B3E'
-              - '894E7D4FFD764BB458809C7F0643694B036EAD30'
-              - '3B3E778B647371262120A523EB873C20BB82BEAF'
-        - md5:
-              - '74BC2D0B6680FAA1A5A76B27E5479CBC'
-              - '82187AD3F0C6C225E2FBA0C867280CC9'
-              - '11BC82A9BD8297BD0823BCE5D6202082'
-              - '7FAEA2B01796B80D180399040BB69835'
-    condition: 1 of selection_*
+    condition: selection
 falsepositives:
     - Unlikely
 level: critical
diff --git a/...g-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml b/...g-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml
@@ -21,7 +21,7 @@ references:
     - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-03-29
-modified: 2023-03-31
+modified: 2024-11-23
 tags:
     - attack.defense-evasion
     - attack.t1218
@@ -31,7 +31,7 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_hashes_1:
+    selection_hashes:
         Hashes|contains:
             # 3CX Desktop 18.12.407
             - 'SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
@@ -60,41 +60,13 @@ detection:
             - 'SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
             - 'MD5=F3D4144860CA10BA60F7EF4D176CC736'
             - 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9'
-    selection_hashes_2:
-        - sha256:
-              - 'DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
-              - '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02'
-              - 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE'
-              - 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
-              - '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734'
-              - 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203'
-              - 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
-              - '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
-        - sha1:
-              - '480DC408EF50BE69EBCF84B95750F7E93A8A1859'
-              - '3B43A5D8B83C637D00D769660D01333E88F5A187'
-              - '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
-              - 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1'
-              - '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
-              - '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5'
-              - 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
-              - 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
-        - md5:
-              - 'BB915073385DD16A846DFA318AFA3C19'
-              - '08D79E1FFFA244CC0DC61F7D2036ACA9'
-              - '4965EDF659753E3C05D800C6C8A23A7A'
-              - '9833A4779B69B38E3E51F04E395674C6'
-              - '704DB9184700481A56E5100FB56496CE'
-              - '8EE6802F085F7A9DF7E0303E65722DC0'
-              - 'F3D4144860CA10BA60F7EF4D176CC736'
-              - '0EEB1C0133EB4D571178B2D9D14CE3E9'
     selection_pe_1:
         - OriginalFileName: '3CXDesktopApp.exe'
         - Image|endswith: '\3CXDesktopApp.exe'
         - Product: '3CX Desktop App'
     selection_pe_2:
         FileVersion|contains: '18.12.'
-    condition: all of selection_pe_* or 1 of selection_hashes_*
+    condition: all of selection_pe_* or selection_hashes
 falsepositives:
     - Legitimate usage of 3CXDesktopApp
 level: high