You can create CIR's to scan for the files the malware creates and report on those files

CIR look for Emotet file 1o6     FileExists(c:\windows\syswow64\cbsmfidl.exe)     
CIR look for Emotet file 2o6     FileExists(c:\windows\syswow64\SERVERNV.EXE)    
CIR look for Emotet file 3o6     FileExists(c:\windows\syswow64\servicedcom.exe)    
CIR look for Emotet file 4o6     FileExists(c:\windows\12345678.EXE)    
CIR look for Emotet file 5o6     FileExists(C:\WINDOWS\SYSWOW64\NUMB3R2ANDL3373RS.EXE)    
CIR look for Emotet file 6o6     FileExists(C:\WINDOWS\TEMP\1A2B.TMP)    
CIR look for Emotet key 1o2     RegistryKeyExists(HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\1A345B7)
CIR look for Emotet key 2o2     RegistryKeyExists(HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\12C4567D)

https://blog.malwarebytes.com/detections/trojan-emotet/