All Practice Exams
100+ Free CCRTS Practice Questions
CREST Certified Red Team Specialist (CCRTS) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
What is 'DLL hijacking' and why is it an effective evasion technique?
A
B
C
D
to track
Same family resources
Explore More CREST Penetration Testing Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
More From This Family
Videos and articles for deeper review.
2026 Statistics
Key Facts: CCRTS Exam
120/180
Assault Course Pass Mark
CREST CCRTS Syllabus v2.1
60/120
Tradecraft Section Pass Mark
CREST CCRTS Syllabus v2.1
3 hours
Practical Exam Duration
CREST
8 domains
Syllabus Knowledge Areas
CREST CCRTS Syllabus v2.1
Auto-scored
Tradecraft Scoring Method
CREST CCRTS Syllabus v2.1
Expert
Certification Level
CREST
The CREST CCRTS is an expert-level hands-on red team certification delivered via Pearson VUE. The practical exam includes a Red Team Assault Course (minimum 120/180 marks) and an auto-scored Tradecraft & Operational Security component (minimum 60/120 marks based on detection results). The syllabus spans eight domains: soft skills, core technical skills, reconnaissance, implants, initial access, lateral movement and privilege escalation, evasion, and egress/C2. This practice exam tests theoretical knowledge; passing the real exam requires hands-on red team expertise in enterprise exploitation and OPSEC tradecraft.
Sample CCRTS Practice Questions
Try these sample questions to test your CCRTS exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1During a red team engagement, which MITRE ATT&CK tactic describes the adversary's goal of maintaining a foothold after initial compromise?
A.Initial Access
B.Persistence
C.Defense Evasion
D.Collection
Explanation: Persistence (TA0003) encompasses techniques adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Examples include scheduled tasks, registry run keys, and startup folder entries.
2A red team operator needs to enumerate Active Directory users without triggering LDAP query anomaly alerts. Which approach is most operationally secure?
A.Run ldapsearch with anonymous bind from an external IP
B.Use BloodHound's SharpHound collector with stealth options and randomised delay intervals
C.Execute net user /domain from a newly compromised workstation without delay
D.Perform a zone transfer against the domain's DNS server
Explanation: BloodHound's SharpHound with stealth collection and randomised delays reduces query rate and mimics normal user behaviour, minimising EDR and SIEM signature triggers. Operational security requires throttling enumeration traffic to avoid volume-based detection.
3Which Kerberos attack abuses accounts that have 'Do not require Kerberos preauthentication' set and does NOT require any domain credentials to execute?
A.Kerberoasting
B.AS-REP Roasting
C.Pass-the-Ticket
D.Silver Ticket
Explanation: AS-REP Roasting targets accounts with Kerberos pre-authentication disabled. An attacker can request an AS-REP for such accounts without supplying credentials, then offline-crack the encrypted portion of the response. No domain authentication is needed to perform this attack.
4An operator wants to bypass Windows Defender AMSI (Antimalware Scan Interface) before loading a PowerShell-based implant. Which technique directly patches the AmsiScanBuffer function in memory?
A.Encoding the payload with base64 and piping it through iex
B.Disabling PowerShell Constrained Language Mode via registry
C.Patching the AmsiScanBuffer return value to AMSI_RESULT_CLEAN in the process memory
D.Setting the AMSI_DISABLE environment variable before launching PowerShell
Explanation: Patching AmsiScanBuffer in memory (changing the first few bytes to force an immediate return of AMSI_RESULT_CLEAN or 0x80070057) disables AMSI scanning within the current process. This is the standard in-memory bypass technique used in red team operations against AMSI-aware PowerShell hosts.
5During initial access via phishing, a red team operator uses a lure that routes the target through an Adversary-in-the-Middle (AiTM) proxy. What primary capability does this technique provide that standard phishing does not?
A.Delivery of macro-enabled Office documents
B.Capture of session cookies to bypass MFA
C.Automated credential spraying against the target's email gateway
D.Exfiltration of files from the victim's mailbox
Explanation: AiTM phishing proxies (such as Evilginx2 or Modlishka) sit between the victim and the legitimate service, capturing session cookies after successful authentication including MFA completion. These cookies can then be replayed to gain authenticated access without knowing the password or possessing an MFA token.
6Which MITRE ATT&CK technique does 'Pass-the-Hash' fall under?
A.T1550.002 — Use Alternate Authentication Material: Pass the Hash
B.T1558.003 — Steal or Forge Kerberos Tickets: Kerberoasting
C.T1003.001 — OS Credential Dumping: LSASS Memory
D.T1078 — Valid Accounts
Explanation: Pass-the-Hash is catalogued in MITRE ATT&CK as T1550.002 under 'Use Alternate Authentication Material'. It allows an attacker to authenticate to network services using an NTLM hash without knowing the cleartext password, leveraging NTLM challenge-response authentication.
7A red team uses DNS over HTTPS (DoH) as its C2 channel. What is the primary operational security benefit of this approach?
A.DoH traffic bypasses all network firewalls unconditionally
B.DoH eliminates the need for a redirector infrastructure
C.DoH traffic blends with legitimate HTTPS traffic and is encrypted, making DNS-based C2 inspection harder for defenders
D.DoH automatically rotates C2 domain names using domain generation algorithms
Explanation: DNS over HTTPS encapsulates DNS queries within HTTPS (port 443), encrypting and blending them with normal web traffic. This makes traditional DNS monitoring and inspection by network sensors much harder, as defenders cannot inspect the DNS queries without decrypting HTTPS flows from trusted DoH resolvers.
8Which of the following best describes the purpose of a 'redirector' in red team C2 infrastructure?
A.A host that performs ARP poisoning to redirect LAN traffic to the operator
B.A DNS server that resolves C2 domain names to IP addresses for implants
C.An intermediate server that forwards beacon traffic to the true C2 server, protecting its identity from responders
D.A proxy that decrypts TLS traffic from endpoints for inspection
Explanation: A redirector (also called a relay or proxy) sits between the victim's beacon and the actual C2 server. If defenders identify and block the redirector's IP, the real C2 server remains hidden and operational. Redirectors are commonly implemented using socat, nginx, Apache mod_rewrite, or cloud-hosted services.
9During a CREST red team engagement, a candidate is required to demonstrate operational security (OPSEC). Which action would MOST undermine OPSEC during an engagement?
A.Using malleable C2 profiles to mimic legitimate software traffic patterns
B.Conducting all research and tooling preparation on a dedicated, isolated operator workstation
C.Uploading a custom implant directly from the operator's home IP to a victim host
D.Rotating C2 domain names after a suspected detection event
Explanation: Uploading an implant directly from the operator's home IP exposes a personal or persistent IP address in the victim's network logs and potentially threat intelligence feeds, directly compromising operator identity and the engagement's cover. All outbound connections should traverse dedicated redirectors or VPN egress points.
10Kerberoasting (T1558.003) is effective because of which fundamental design decision in Kerberos?
A.Service tickets are signed with the KDC's private key, which attackers can extract from a domain controller
B.Service tickets contain cleartext passwords embedded in the ticket body
C.Service tickets are encrypted with the service account's NTLM hash, allowing offline cracking without interacting with the account again
D.The KDC does not validate whether the requesting user has permission to access the target service
Explanation: In Kerberos, TGS (service) tickets are encrypted with the RC4 or AES key derived from the service account's password. Any authenticated domain user can request a TGS for any SPN. Attackers extract this encrypted blob and perform offline dictionary attacks against it, never needing to interact with the service account directly again.
About the CCRTS Practice Questions
Verified exam format metadata for CREST Certified Red Team Specialist (CCRTS) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.