In the one-liner below, we are able to pop a credentials box and attempt to steal credentials.  If we remove the pipe and what follows, we would see the output at the command line.  With the pipe and what follows, we output it into a file.  And since Public is public, we can easily write into that location.

After credentials are entered into the box, we check the output file and sure enough, we find the password entered into the box.  We could offload this to our server but for this post, we're just dropping the password into a file.

Let's say we want to schedule this to run as a task.  If we dump that one-liner into a script and we launch it, we'll get a PowerShell window sitting behind the credentials box which doesn't go well for our ruse.  This is dirty, I know, but it works by calling Start-Process and then adding the -WindowStyle Hidden.  Finally, we want to choose our target and we can glean that information from the /users folder. 

The following SCHTASKS command just runs it immediately which leaves one box hanging open and then the original command sets it to run once per day at the same time as when it was originally scheduled.

Not pretty but it's functional and it gets the job done.