The vulnerability relies on the way Windows handles SID resolution. Because the system allows adding SIDs that aren't yet mapped to a user, the ACL essentially waits for its "missing half".
For more detailed technical analysis, you can view the original research on the Varonis Blog .
A low-level account created later can suddenly "wake up" with Administrative or Domain Admin rights if those rights were pre-injected into the synthetic SID.
Yes, identified a technique known as Synthetic SID Injection .
These synthetic entries often appear as "Account Unknown" or long strings of numbers in the security tab, which administrators frequently ignore as remnants of deleted accounts rather than active threats.