Data Loggers & Add-Ons / Plugins

Can CIS intercept a keylogger, screenlogger append to a web browser as an add-on? What kind of behaviour would this be? Which CIS defense would intercept it (Image Execution…)? If an add-on / plugin is an executable, which file extension would I have to add to “Image Execution Control” to detect such an event?