The vulnerability relies on the way Windows handles SID resolution. Because the system allows adding SIDs that aren't yet mapped to a user, the ACL essentially waits for its "missing half".

Yes, identified a technique known as Synthetic SID Injection .

A low-level account created later can suddenly "wake up" with Administrative or Domain Admin rights if those rights were pre-injected into the synthetic SID.

These synthetic entries often appear as "Account Unknown" or long strings of numbers in the security tab, which administrators frequently ignore as remnants of deleted accounts rather than active threats.

An attacker with high privileges (but perhaps needing to maintain long-term, hidden access) adds a non-existent SID to a resource's ACL.