CREST Certified Red Team Specialist (CCRTS)

The CREST Certified Red Team Specialist (CCRTS) exam is an advanced level examination and is aimed at candidates with relevant knowledge and hands on experience leading red team engagements, often known as simulated attacks or adversary simulation.  

Successful candidates will be able to demonstrate knowledge in a number of areas, including:

• Soft Skills and Assessment Management

Awareness of local legislation pertaining to simulated attacks. Knowledge of legislation affecting simulated attacks with or on behalf of a specific sector. For UK financial sector this would include CBEST, and for Europe this would be TIBER-EU or DORA for example. A candidate must understand legal, ethical, morale, technical, logistical, financial and other constraints, and is able to take these into account without compromising the effectiveness of the red team engagement. 

• Core Technical Skills

Knowledge of typical network types that could be encountered during a simulated attack, including Cloud and on-prem based services and common application layer protocols. Review and interpret documentation, configuration and threat intelligence to map networks and route attack paths around enterprise access controls and defenses. Understands symmetric and asymmetric cryptography, common protocols and their security attributes. Ability to use audit data to assist attack paths. 

• Reconnaissance

Can query DNS servers or use passive or historical DNS data to gather information on target systems. Can identify and exploit misconfigured DNS entries and associated vulnerabilities. Knowledge and experience of information harvesting techniques, and an understanding of the legal implications of scraping social media sites and use of stolen databases or leaks. Ability to perform cloud reconnaissance, identifying SaaS products or Cloud service providers in use by a target, and how they are utilised. 

• Implants

Implant design, evaluation, configuration and customisation. Able to select and use publicly available implant frameworks to meet requirements and provide appropriate threat emulation. Can utilise network bridges (e.g. 3G/4G, WiFi) to enable remote access, or can simulate based on a risk assessment. 

• Initial Access  

Ability to interpret threat intelligence and simulate common initial access vectors against enterprise organisations. Use of common C2 frameworks applications to deliver implants, such as business communication & management or cloud apps. Ability to perform application and infrastructure attacks against a customer’s internet facing assets or cloud hosted services, using vulnerabilities as an initial access vector. 

• Lateral Movement & Privilege Escalation

Knowledge, use and abuse of Active Directory Services, including Domain, Federation & Certificate Services. Exploitation of authentication controls, including Kerberos and certificate attacks, SSO & federation, tickets and replay attacks. Ability to fully list all installed applications on Windows or macOS and identify potentially vulnerable installations that could be exploited. 

• Evasion

Evasion of allow-listing controls, including applications, filetypes or devices, using solutions in–built to the operating system or third party, e.g. living off the land. Ability to throttle network traffic and understand how to limit unnecessary connections or log entries, prioritising likely attack paths. Knowledge of monitoring solutions and ability to simulate a threat actor’s footprint while understanding and evading common enterprise monitoring solutions. 

• Egress / Command and Control

Demonstrate the ability to establish an outbound command and control channel from a compromised network through a well configured perimeter firewall, enumerating traffic types and network ports permissible. Awareness of IDS/IPS capabilities, egress filtering, proxying, and the ability to hide traffic within common protocols if applicable. 

You can find the full CCRTS exam syllabus here.

CREST Certified Red Team Specialist (CCRTS) – Notes for Candidates

The notes for candidates gathers essential information about the CCRTS exam and intends to support CREST candidates on their preparation increasing their chances of success.

1. Exam overview

The CREST Certified Red Team Specialist (CCRTS) examination assesses the expertise needed to lead a simulated attack informed by relevant threat intelligence and real-world scenarios. Candidates will be expected to compromise enterprise environments in order to helps organisations gauge the potential impact of a real-world attack by simulating adversary tactics, techniques, and procedures (TTPs). This simulation provides a comprehensive test of the organisation’s defences, including the effectiveness of its protective and detective controls. 

2. Exam structure

Exam format

The CCRTS exam has two distinct parts:

– A written exam which is made of two components: a multiple-choice test and a written scenario.

– A practical exam which is made of two components: the assault course and an operation security & tradecraft section.

Candidates will be given a TI pack containing information around the target of the assessment and scenario background which will include details on the threat actor and goals of the engagement. They will also be given useful data such as TTPs, domains and users. 

Each lab is a unique instance and is built and verified before being displayed to each candidates. All answers are marked automatically. 

Candidates can take the written and practical exams in whichever order they prefer although we suggest candidates to start their exam path with the written exam. 

Exam duration

Written exam

The written exam duration is 3 hours in total, split as follows:

– Multiple-choice test (1 hour)

– Written scenario (2 hours)

Candidates will be given an additional 15 minutes for reading time prior to the start of written scenario component.

Candidates must start with the multiple-choice test followed by the written scenario component. The questions can be answered in any order within each component.

Practical exam

The practical exam duration is 3 hours and candidates will be given an additional 15 minutes for reading time prior to the start of the exam.

Pre-requisites

There are no pre-requisites to the CCRTS exam.

Exam notes

Written exam

The written exam is closed book. Therefore, no books, written notes, internet access or other electronic devices will be allowed. This applies to both components of the written exam: the multiple-choice test and the written scenario. 

Practical exam

Candidates are able to pre-upload files ahead of their practical exam via CRESTDrive. These files will be accessible on the day of the exam. 

Please visit our dedicated page here and read the FAQs here.

3. Exam grading

Written exam

– Multiple choice test (60 marks)

– Written scenario (120 marks)

Practical exam

– Red Team Assault Course (180 marks) 

– Red Team Tactics, Tradecraft and Operational Security (120 marks) 

Pass mark

Written exam

– Multiple choice test: candidates must achieve at least two thirds or 40 marks in this section.

– Written scenario: candidates must achieve at least two thirds or 80 marks in this section.

Passing one of the sections but failing the other one will result in a failure overall. 

Practical exam

– Red Team Assault Course: candidates must achieve at least two thirds or 120 marks  in this section.

– Red Team Tactics, Tradecraft and Operational Security: candidates must achieve at least half of the marks available in this section or 60 marks. The marks in this section are auto calculated based on detection results.

Passing one of the sections but failing the other one will result in a failure overall.  

Feedback

Written exam

Results of the multiple-choice test will be available for candidates at the end of the exam via their Pearson VUE account and will provide a breakdown of the areas and how they have performed. 

The results for the written scenario component and overall result of their written exam will be provided within 20 days from when the exam has been taken. 

Practical exam

Candidates will receive an email from Pearson VUE once exam results are available in their Pearson VUE account. Results will usually be available within 24 hours but might take up to 48 hours in some cases due to additional verification checks. Candidates will receive their score in each section. 

If you have not received your results after 48 hours and/or if you have any queries, please contact us via [email protected] 

Here you can find some useful resources to support in your exam preparation.

Self-assessment questionnaire

Answer this short questionnaire to find out if you are ready to take the CCRTS exams.

Written exam

Multiple choice questions

This section utilises multiple choice questions with five answers where only one of them is correct.

Written scenario

This section is structured around scenario questions that test the candidates knowledge of different stages of an engagement as well as different techniques utilised. This typically includes
Scoping and Risk Management, Report and Debrief as well as a number of questions testing the different techniques and skilled areas described in the syllabus. 

Candidates are also provided with a TI pack with relevant information and contextualisation to help them with the Scoping and Risk Management section. 

Please visit the ‘Sample TI Pack scenario’ drop-down section below. 

Practical exam

Candidate machines

In order to allow candidates to familiarise themselves with the tooling available in the exam environment, two virtual machines are available. The virtual machines host a version of Kali Linux and a version of Windows which are available to use during the CCRTS exam.  

The Amazon Machine Images (AMI) provided below are an exact copy of the exam machines, but Cobalt Strike will not be distributed with the downloadable AMI. This is fully licensed in the exam environment at Pearson VUE. 

There is a licensed version of Proxifier (https://www.proxifier.com) running on Windows and Proxychains on Linux for SOCKS capability should you require this in the exam, including Visual Studio to compile any initial access droppers you may require for the end-to-end scenarios.

CREST will issue the link to the AMI directly to each candidate and we strongly recommend candidates to get familiar with the available tools and version. 

CCRTS practical – Kali Linux AMI  

CCRTS practical – Windows Server 2022 AMI 

Learn more about the lab environment created by CREST and what to expect when taking your exam at Pearson VUE in the CREST Practical exam guide.

Tooling

In this exam, both a Windows Server virtual machine and Kali Linux virtual machine are available to use with pre-installed and tested C2 frameworks. 

Everything required to pass the exam is available on the candidate machines, either installed or available in the tools directory, however, the CRESTDrive is available for additional C2 modules or extensions for any of the frameworks installed, for example precompiled modules, BOFs, extensions, execution templates or cradles. Anti-Virus evasion is within the syllabus for the exam, so any files that may be required for evasion should also be brought into the exam using the CRESTDrive.  Candidates can upload any other file types up to the 100MB and in line with T&Cs.

You can switch between the two using the resources tab at the top, however, Windows is defaulted to the first machine. Both machines are on the same subnet and can ssh either way, e.g. from Windows to Kali by utilising “ssh kali@kali” for example. Also FileZilla is installed and preconfigured to open the root of Kali Linux for each distribution of files between machines in the sites tab of FileZilla. 

Image 1: Candidate user experience – Instructions pane.

Image 2: Candidate user experience – Resources pane.

In addition to a large range of open source tools there is a licensed install on both Kali and Windows of Cobalt Strike if you choose to use this, including a selection of commonly used C2 frameworks which have been designated and tested for this exam:

• Cobalt Strike (https://www.cobaltstrike.com/product) 

• Sliver (https://github.com/BishopFox/sliver) 

• PoshC2 (https://github.com/nettitude/PoshC2) 

• Havoc (https://github.com/HavocFramework/Havoc) 

• Metasploit (https://github.com/rapid7/metasploit-framework) 

There is a licensed version of Proxifier (https://www.proxifier.com) running on Windows and Proxychains on Linux for SOCKS capability should you require this in the exam, including Visual Studio to compile any initial access droppers you may require for the end-to-end scenarios.  

The following additional tools are also included and may be useful when conducting the scenarios within the exam:

• 7zip  

• Edge/Firefox/Chrome 

• Sysinternals Suite (https://learn.microsoft.com/en-us/sysinternals/) 

• RDCMan (https://learn.microsoft.com/en-us/sysinternals/downloads/rdcman) 

• Neo4j/ Bloodhound/Sharphound (https://github.com/BloodHoundAD/BloodHound) 

• Remote Bof collection (https://github.com/trustedsec/CS-Remote-OPs-BOF)  

• CS Situational Bofs (https://github.com/trustedsec/CS-Situational-Awareness-BOF) 

• SharpCollection Tools (https://github.com/Flangvik/SharpCollection) 

• InlineExecute-Assembly (https://github.com/anthemtotheego/InlineExecute-Assembly) 

• Donut Shellcode (https://github.com/TheWover/donut) 

• SharpDllProxy (https://github.com/Flangvik/SharpDllProxy) 

• CffExplorer 

• FileZilla 

• HxD 

• IlSpy & DNSpy 

• Java 

• Keepass v1 and v2 

• Linqpad  

• Notepad++ 

• VSCode 

• Process Hacker 

• Proxifier/Proxcychains 

• Putty/ Windows Terminal 

• Visual Studio (With the ability to compile c/c++/c#/dotnetcore) 

• Wireshark 

• X64DBG 

• DBVisualiser (https://www.dbvis.com/) 

• Impacket   

• Neo4j  

• RDesktop  

• SharpCollection Tools  

• SMBClient 
• Xfreerdp 

Candidates are provided with a TI pack with relevant information and contextualisation to help them with the Scoping and Risk Management section. 

CCRTS Example Threat Pack 1 written

CCRTS Example Threat Pack 1 practical

The CCRTS exam is exclusively available in selected Pearson VUE Test Centres across the globe. You can book your exam now via CREST :: Pearson VUE.

Promo codes (for candidates) 

Claim your promo code and unlock up to 75%* discount on the CCRTS exam. Limited Period and conditions apply* 

*Promo code available until 28th February 2025. Exam must be booked by 28th February and sat by 31st March 2025. 

CREST Pearson VUE vouchers

Pearson VUE vouchers are available from CREST for companies and individuals who either have an account with CREST or need an alternative payment method. These vouchers will be sent on receipt of a paid invoice. For more information please contact [email protected].

Invigilation 

A test centre administrator/invigilator will be present throughout the examination to answer any procedural questions that candidates may have and assist in troubleshooting. The invigilator will not provide any support or advice related to the exam content. 

If an issue does occur, a case will be filed. Every effort will be made to accommodate the continuation of your exam and all cases will be investigated and resolved within 3-5 business days. Pearson VUE should provide you with a case ID number. Please ensure you retain this information as this may be required at a later date.  

Special accommodations

Candidates must contact the CREST Support team at least 2 weeks before the potential exam date with a formal medical report from a qualified medical practitioner specialising in the particular condition. Candidates should register an account with Pearson VUE but not book an exam until the accommodation request has been processed. For more information, please contact [email protected]

How to cancel, postpone or reschedule

This is done through your own Pearson VUE registration and exam booking page and must be done at least 24hrs before your exam date.

Looking for more info on our CCRTS exam? Check out our handy CCRTS FAQs.